1 2016-03-07 05:43:44 <phantomcircuit> Lightsword, shrug the code that disconnects them is pretty fast and the non-broken implementations wont reconnect to you
2 2016-03-07 05:44:21 <Lightsword> phantomcircuit, well there are def broken implementations that do seem to try and reconnect
3 2016-03-07 05:44:38 <phantomcircuit> Lightsword, those aren't actually bitcoinj
4 2016-03-07 05:44:47 <phantomcircuit> or at least they're not real spv clients
5 2016-03-07 05:45:27 <Lightsword> phantomcircuit, oh? are they clients doing tracking?
6 2016-03-07 05:49:11 <phantomcircuit> Lightsword, probably
7 2016-03-07 05:53:59 <Lightsword> phantomcircuit, the wallets Iâve been seeing do it seem to have IPâs in many different countries
8 2016-03-07 05:54:05 <Lightsword> and itâs mainly multibit
9 2016-03-07 06:00:28 <phantomcircuit> Lightsword, maybe some old broken multibit
10 2016-03-07 06:00:42 <phantomcircuit> iirc there's been versions which selected peers very stupidly
11 2016-03-07 18:41:01 <Greybits> Hi, is there is a list of which bitcoin-core client versions are vulnerable to openssl drowning bug?
12 2016-03-07 18:44:01 <wumpus> that bug shouldn't really affect bitcoin core
13 2016-03-07 18:44:25 <Greybits> bitcoin core doesn't use openssl? it is listed in the "about bitcoin core" page in the qt client
14 2016-03-07 18:45:01 <wumpus> it uses opensssl, but for encryption and random number generation. It only uses (outgoing) SSL connections for payment protocol in the gui, and there it forces TLS
15 2016-03-07 18:45:24 <Greybits> what version of tls?
16 2016-03-07 18:45:29 <wumpus> and DROWN is a server-side vulnerability, it doesn't affect clients
17 2016-03-07 18:46:17 <wumpus> any version of TLS (SSLv2 and 3 are disabled)
18 2016-03-07 18:46:39 <Greybits> when clients communicate on port 8333 it is not encrypted with an openssl lib?
19 2016-03-07 18:46:44 <wumpus> no
20 2016-03-07 18:47:14 <Greybits> 8333 is plain text?
21 2016-03-07 18:48:29 <wumpus> yes
22 2016-03-07 18:49:09 <Greybits> and people enter the rpc password over port 8333?
23 2016-03-07 18:50:01 <Arnavion> You're not supposed to open the RPC port over an insecure network, or any network at all if you can help it
24 2016-03-07 18:50:29 <Greybits> why wouldn't it use encryption anyway? if you are already using the openssl libs other places
25 2016-03-07 18:50:49 <arubi> you're not being fair.. rpc used to support 'rpcssl' right?
26 2016-03-07 18:51:33 <Greybits> arubi, i really don't know much about it, which is why im here trying to learn.
27 2016-03-07 18:51:55 <arubi> Greybits, nobody in their right mind are running rpc over anything but 127.0.0.1
28 2016-03-07 18:51:58 <arubi> like Arnavion said
29 2016-03-07 18:53:01 <wumpus> 8333 is not the RPC port, it is the P2P network, no passwords go over it only public information such as blocks and transactions
30 2016-03-07 18:53:34 <arubi> well you're right, I missed that and somehow fixed myself on rpc.
31 2016-03-07 18:53:39 <Arnavion> Heh, same
32 2016-03-07 18:54:20 <wumpus> (there are people talking about optional authentication+encryption support on P2P, but that would be something at the bitcoin P2P message level, not TLS)
33 2016-03-07 18:55:02 <arubi> ooh, cool.
34 2016-03-07 18:55:31 <wumpus> TLS is pretty sucky, introduces too large an attack surface, we'd like to get rid of openssl as a core dependency
35 2016-03-07 18:56:56 <wumpus> (which can be done as soon as it no longer used for random number generation and AES for wallet encryption)
36 2016-03-07 18:57:08 <Greybits> wumpus, what kinds of things are in place to stop client 8333's from being being flooded?
37 2016-03-07 18:58:12 <wumpus> Greybits: nothing, really
38 2016-03-07 18:58:34 <Greybits> i wonder how many simultaneous connections an average port 8333 can sustain
39 2016-03-07 18:58:51 <wumpus> connection exhaustion did become more difficult with 0.11 and 0.12 though, but a client can send as many packets as it wants
40 2016-03-07 18:59:11 <wumpus> 125 is the default max number of incoming connectinos
41 2016-03-07 18:59:46 <Greybits> thank you. how long is the keep alive?
42 2016-03-07 18:59:49 <wumpus> you can configure it with a command line option, but every connection takes a few MB of memory
43 2016-03-07 19:00:39 <wumpus> 20 minuets
44 2016-03-07 19:00:43 <Greybits> oh wow
45 2016-03-07 19:03:03 <Greybits> it sounds like someone could modify the code in like 5 minutes to make 125 outgoing connections to every peer that it sees.
46 2016-03-07 19:03:59 <wumpus> people have tried
47 2016-03-07 19:04:48 <Greybits> if you could find the most "interconnected" peers it sounds like some pimply 13 year old could really cause some hassles.
48 2016-03-07 19:05:50 <wumpus> as said, in recent versions there are some mitigations for trivial connection flooding, if too many connections come from the same net range they get disconnected to make place for new ones
49 2016-03-07 19:06:11 <Greybits> yes, but in the real world, that is not how that attack will play out.
50 2016-03-07 19:06:34 <wumpus> you're welcome to improve the anti DoS code
51 2016-03-07 19:07:06 <Greybits> i would prefer to test the current and recent versions, find the problems, prove they exist. then work on how to fix.
52 2016-03-07 19:07:19 <wumpus> good luck
53 2016-03-07 19:09:10 <Greybits> thank you. and thank you for sharing your wisdom with me.
54 2016-03-07 19:09:26 <kanzure> if i was to open an issue for an "spv" client to use more than 100 connections to bitcoin nodes, which "spv" client github repositry should i open that issue on?
55 2016-03-07 19:11:07 <Greybits> wumpus, is there a way in the client source code ( or any other place ) to make it so that your client wouldn't allow connections from certain bitcoin-core versions like if you didn't want to connect to Classic nodes?
56 2016-03-07 19:11:53 <wumpus> kanzure: you'd have to find an SPV client that is actually actively maintained :p
57 2016-03-07 19:12:20 <kanzure> well that's impossible
58 2016-03-07 19:15:00 <wumpus> Greybits: technically: getpeerinfo to get the subver, then ban with setban ... but it's not really encouraged to do that, because people can easily spoof a different string, and if such behavior was widely used everyone woudl just report the same version string, similar to how all browsers report as Mozilla/X.X
59 2016-03-07 20:15:36 <wumpus> interesting, someone is working on bitcoin core on android, https://github.com/greenaddress/abcore
60 2016-03-07 20:19:02 <wumpus> and gitian armhf builds: https://github.com/keo/bitcoin/commit/2e568375ea3410a67ed4d7cb18a2cabd4ece0580
61 2016-03-07 20:19:07 <wumpus> nice things going on