Brian Erdelyi [ARCHIVE] on Nostr: π Original date posted:2015-02-01 π Original message:> BIP70 is quite safe ...
π
Original date posted:2015-02-01
π Original message:> BIP70 is quite safe agains MitB. If user copies URL belonging to other
> merchant, he would see the fact after entering it into his wallet
> application. The only problem is, attacker can buy from the same
> merchant with user's money. (sending him different URL) This can be
> mitigated by merchant setting "memo" to the description of the basket
> and some user info (e.g. address to which goods are sent).
I think BIP 70 does a good job at verifying where the payment request came from. Iβm not convinced this is the same as verifying the transaction (ideally OOB).
> But if whole computer is compromised, you're already screwed. Trezor
> should help, but I'm not sure if it supports BIP70.
The reason for OOB verification is if the entire computer is compromised. Again, this may only be possible with a trusted intermediary or a web wallet.
Brian Erdelyi
π Original message:> BIP70 is quite safe agains MitB. If user copies URL belonging to other
> merchant, he would see the fact after entering it into his wallet
> application. The only problem is, attacker can buy from the same
> merchant with user's money. (sending him different URL) This can be
> mitigated by merchant setting "memo" to the description of the basket
> and some user info (e.g. address to which goods are sent).
I think BIP 70 does a good job at verifying where the payment request came from. Iβm not convinced this is the same as verifying the transaction (ideally OOB).
> But if whole computer is compromised, you're already screwed. Trezor
> should help, but I'm not sure if it supports BIP70.
The reason for OOB verification is if the entire computer is compromised. Again, this may only be possible with a trusted intermediary or a web wallet.
Brian Erdelyi