Mutual CHAP could work. This is commonly done in PPP and iSCSI. The idea is simply that both sides authenticate. The server expects the client to provide a password, and the client expects the server to provide a (different) password. If you masquerade as the server, you won't be able to authenticate because every client has a different password they expect from the server, so they won't do work for you. MITM on the server can capture the exchange but CHAP protects against replay.
https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol -Laszlo On Aug 8, 2014, at 6:21 PM, Jeff Garzik <jgar...@bitpay.com> wrote: > gmaxwell noted on IRC that enabling TLS could be functionally, if not > literally, a DoS on the pool servers. Hence the thought towards a > more lightweight method that simply prevents client payout redirection > + server impersonation. > > > On Fri, Aug 8, 2014 at 5:53 AM, Mike Hearn <m...@plan99.net> wrote: >>> Certificate validation isn't needed unless the attacker can do a direct >>> MITM >>> at connection time, which is a lot harder to maintain than injecting a >>> client.reconnect. >> >> >> Surely the TCP connection will be reset once the route reconfiguration is >> completed, either by the MITM server or by the client TCP stack when it >> discovers the server doesn't know about the connection anymore? >> >> TLS without cert validation defeats the point, you can still be connected to >> a MITM at any point by anyone who can simply interrupt or corrupt the >> stream, forcing a reconnect. >> >> ------------------------------------------------------------------------------ >> Want fast and easy access to all the code in your enterprise? Index and >> search up to 200,000 lines of code with a free copy of Black Duck >> Code Sight - the same software that powers the world's largest code >> search on Ohloh, the Black Duck Open Hub! Try it now. >> http://p.sf.net/sfu/bds >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> > > > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development