What is Nostr?
Jeremy Spilman [ARCHIVE] /
npub10et…c727
2023-06-07 15:14:06
in reply to nevent1q…gn5x

Jeremy Spilman [ARCHIVE] on Nostr: 📅 Original date posted:2014-03-01 📝 Original message:We currently have subtle ...

📅 Original date posted:2014-03-01
📝 Original message:We currently have subtle positive feedback of a signed payment request in
the form of the green background. Unsigned requests simply show up without
the green background, as well as requests which provide a certificate but
have a missing or invalid signature.

There's a open bug (#3628) and pull request (#3684) to provide negative
feedback (yellow background) for a missing or invalid signature, but it
seems like there's some debate on whether bitcoind should do that...

If an attacker can avoid the negative feedback by just stripping the
signature and setting pki_type to none, then arguably there's no security
benefit by singling out badly signed payment requests from unsigned
payment requests.

So perhaps the root problem is that the positive feedback (green
background) is not strong enough to make its absence highly conspicuous to
the end user.

As an aside, how could we go about implementing the equivalent of HTTP
Strict Transport Security for payment protocol to prevent this trivial
signature stripping attack? Is this a possible extension field merchants
are interested in?
Author Public Key
npub10etkvm8l0jr0jsgdx02dxnhnu5g989dnca90guj5rklwkaplnh3sgjc727