Generally agreed. This is why I nack'ed BIP72 years ago when we discussed about standardization.
However, there are many ways to use BIP70 without BIP72. BIP72 is just a kludge to biggy-pack the payment protocol onto BIP21. And also, as you note, BIP72 can be easily fixed using a hash parameter. On 09/29/2017 04:55 AM, Peter Todd via bitcoin-dev wrote: > On Thu, Sep 28, 2017 at 03:43:05PM +0300, Sjors Provoost via bitcoin-dev > wrote: >> Andreas Schildbach wrote: >>> This feels redundant to me; the payment protocol already has an >>> expiration time. >> >> The BIP-70 payment protocol has significant overhead and most importantly >> requires back and forth. Emailing a bitcoin address or printing it on an >> invoice is much easier, so I would expect people to keep doing that. > > The BIP-70 payment protocol used via BIP-72 URI's is insecure, as payment qr > codes don't cryptographically commit to the identity of the merchant, which > means a MITM attacker can redirect the payment if they can obtain a SSL cert > that the wallet accepts. > > For example, if I have a wallet on my phone and go to pay a > merchant, a BIP-72 URI will look like the following(1): > > > bitcoin:mq7se9wy2egettFxPbmn99cK8v5AFq55Lx?amount=0.11&r=https://merchant.com/pay.php?h%3D2a8628fc2fbe > > A wallet following the BIP-72 standard will "ignore the bitcoin > address/amount/label/message in the URI and instead fetch a PaymentRequest > message and then follow the payment protocol, as described in BIP 70." > > So my phone will make a second connection - likely on a second network with a > totally different set of MITM attackers - to https://merchant.com > > In short, while my browser may have gotten the correct URL with the correct > Bitcoin address, by using the payment protocol my wallet is discarding that > information and giving MITM attackers a second chance at redirecting my > payment > to them. That wallet is also likely using an off-the-shelf SSL library, with > nothing other than an infrequently updated set of root certificates to use to > verify the certificate; your browser has access to a whole host of better > technologies, such as HSTS pinning, certificate transparency, and frequently > updated root certificate lists with proper revocation (see Symantec). > > As an ad-hoc, unstandardized, extension Android Wallet for Bitcoin at least > supports a h= parameter with a hash commitment to what the payment request > should be, and will reject the MITM attacker if that hash doesn't match. But > that's not actually in the standard itself, and as far as I can tell has never > been made into a BIP. > > As-is BIP-72 is very dangerous and should be depreciated, with a new BIP made > to replace it. > > 1) As an aside, it's absolutely hilarious that this URL taken straight from > BIP-72 has the merchant using PHP, given its truly terrible track record > for > security. > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev