Bastien TEINTURIER [ARCHIVE] on Nostr: 📅 Original date posted:2023-09-07 🗒️ Summary of this message: Runes/macaroons ...
📅 Original date posted:2023-09-07
🗒️ Summary of this message: Runes/macaroons don't protect against compromised machines. Validating RPCs manually is useful for payment-related operations, not for "read" RPCs.
📝 Original message:
Hi William,
> What is wrong with runes/macaroons for validating and authenticating
> commands?
Runes/macaroons don't provide any protection if the machine you are
issuing the RPCs from is compromised. The attacker can change the
parameters of your RPC call and your lightning node will still gladly
execute it.
> I can't imagine validating every RPC request with a hardware
> device and trusted display, unless you have some specific use case in
> mind.
I think that this is because you have the wrong idea of which RPCs
this is supposed to protect. This is useful for the RPCs that actually
involve paying something (channel open, channel close, pay invoice).
This isn't useful for "read" RPCs (listing channels).
Making an on-chain operation or paying an invoice is something that is
infrequent enough for the vast majority of nodes that it makes sense
to validate it manually. Also, this is fully configurable: you can
choose which RPCs you want to protect that way and which RPCs you want
to keep open.
Thanks,
Bastien
Le mer. 6 sept. 2023 à 17:42, William Casarin <jb55 at jb55.com> a écrit :
>
> On Wed, Sep 06, 2023 at 03:32:50AM +0200, Bastien TEINTURIER wrote:
> >Hey Zman,
> >
> >I saw the announcement about the commando plugin, and it was actually
> >one of the reasons I wanted to write up what I had in mind, because
> >while commando also uses a lightning connection to send commands to a
> >lightning node, it was missing what in my opinion is the most important
> >part: having all of Bolt 8 handled by the HSM and validating commands
> >using a trusted display.
>
> What is wrong with runes/macaroons for validating and authenticating
> commands? I can't imagine validating every RPC request with a hardware
> device and trusted display, unless you have some specific use case in
> mind.
>
> Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230907/eaf3421b/attachment.html>
🗒️ Summary of this message: Runes/macaroons don't protect against compromised machines. Validating RPCs manually is useful for payment-related operations, not for "read" RPCs.
📝 Original message:
Hi William,
> What is wrong with runes/macaroons for validating and authenticating
> commands?
Runes/macaroons don't provide any protection if the machine you are
issuing the RPCs from is compromised. The attacker can change the
parameters of your RPC call and your lightning node will still gladly
execute it.
> I can't imagine validating every RPC request with a hardware
> device and trusted display, unless you have some specific use case in
> mind.
I think that this is because you have the wrong idea of which RPCs
this is supposed to protect. This is useful for the RPCs that actually
involve paying something (channel open, channel close, pay invoice).
This isn't useful for "read" RPCs (listing channels).
Making an on-chain operation or paying an invoice is something that is
infrequent enough for the vast majority of nodes that it makes sense
to validate it manually. Also, this is fully configurable: you can
choose which RPCs you want to protect that way and which RPCs you want
to keep open.
Thanks,
Bastien
Le mer. 6 sept. 2023 à 17:42, William Casarin <jb55 at jb55.com> a écrit :
>
> On Wed, Sep 06, 2023 at 03:32:50AM +0200, Bastien TEINTURIER wrote:
> >Hey Zman,
> >
> >I saw the announcement about the commando plugin, and it was actually
> >one of the reasons I wanted to write up what I had in mind, because
> >while commando also uses a lightning connection to send commands to a
> >lightning node, it was missing what in my opinion is the most important
> >part: having all of Bolt 8 handled by the HSM and validating commands
> >using a trusted display.
>
> What is wrong with runes/macaroons for validating and authenticating
> commands? I can't imagine validating every RPC request with a hardware
> device and trusted display, unless you have some specific use case in
> mind.
>
> Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/lightning-dev/attachments/20230907/eaf3421b/attachment.html>