luke-jr
commented
10 years ago FYI: BFGMiner does support and have code for this.
Open veox opened 10 years ago
luke-jr
commented
10 years ago FYI: BFGMiner does support and have code for this.
Reported by Mick Ayzenberg of DejaVu Security.
Impact:
An attacker can MITM a Stratum connection to intercept user credentials, modify a payout address, or redirect a miner to a separate pool.
Details:
The stratum protocol communicates over TCP/IP. This transportation method provides no form of authentication, integrity, or confidentiality. An attacker can position themselves in the middle of a Stratum communication and send spoofed requests to a miner.
An attacker can create a script that sits in the middle of this connection and sends malicious traffic. This script could automatically log user credentials in the “miner.authenticate” message, spoof “client.reconnect” messages and redirect miners to malicious pools, or swap out a user’s wallet address for an attacker controlled address when pools support this method of payouts.
Recommendation:
Stratum must run over TLS 1.2 by default. Valid pools must obtain certificates from a registered certificate authority.