π
Original date posted:2015-02-01
π Original message:> BIP70 is quite safe agains MitB. If user copies URL belonging to other
> merchant, he would see the fact after entering it into his wallet
> application. The only problem is, attacker can buy from the same
> merchant with user's money. (sending him different URL) This can be
> mitigated by merchant setting "memo" to the description of the basket
> and some user info (e.g. address to which goods are sent).
I think BIP 70 does a good job at verifying where the payment request came from. Iβm not convinced this is the same as verifying the transaction (ideally OOB).
> But if whole computer is compromised, you're already screwed. Trezor
> should help, but I'm not sure if it supports BIP70.
The reason for OOB verification is if the entire computer is compromised. Again, this may only be possible with a trusted intermediary or a web wallet.
Brian Erdelyi
Brian Erdelyi [ARCHIVE] /
npub1taβ¦j25sq
2023-06-07 17:29:15
in reply to nevent1qβ¦ht9s
Author Public Key
npub1tatcq4sq4leywpxwgqd90eut5933h62lrrnzu28mx95w80s75hzspj25sqPublished at
2023-06-07 17:29:15Event JSON
{
"id": "26d6cc349dbf9ccf4c360ad631d06e409a394599e2f987a055c56fd2676290e1",
"pubkey": "5f57805600aff24704ce401a57e78ba1631be95f18e62e28fb3168e3be1ea5c5",
"created_at": 1686151755,
"kind": 1,
"tags": [
[
"e",
"541657d412739d9d2a5bc263564b0f2ef650e16ac828484a06cbef551e18c76c",
"",
"root"
],
[
"e",
"0ca8511b370e2d3b8fb464eb4f21699513ca3ba2c91263b2468d5c94664ebccf",
"",
"reply"
],
[
"p",
"f2c95df3766562e3b96b79a0254881c59e8639f23987846961cf55412a77f6f2"
]
],
"content": "π
Original date posted:2015-02-01\nπ Original message:\u003e BIP70 is quite safe agains MitB. If user copies URL belonging to other\n\u003e merchant, he would see the fact after entering it into his wallet\n\u003e application. The only problem is, attacker can buy from the same\n\u003e merchant with user's money. (sending him different URL) This can be\n\u003e mitigated by merchant setting \"memo\" to the description of the basket\n\u003e and some user info (e.g. address to which goods are sent).\n\nI think BIP 70 does a good job at verifying where the payment request came from. Iβm not convinced this is the same as verifying the transaction (ideally OOB).\n\n\u003e But if whole computer is compromised, you're already screwed. Trezor\n\u003e should help, but I'm not sure if it supports BIP70.\n\nThe reason for OOB verification is if the entire computer is compromised. Again, this may only be possible with a trusted intermediary or a web wallet.\n\nBrian Erdelyi",
"sig": "bb8a56c864189f3dd5908a696650bdf02745294d42bca9e95c459949b1a25a8263bb8872404ffc9320810ab2b64783ae4fa608befbb64c8051bd8c1976cfceab"
}