#bitsquare.io

oakpacific, nice cola joke :)

waxwing: credit should go to Chinese economist Hu Shizhi

who originally create the joke with two different beverages when PBOC proclaimed that Bitcoin is not a currency

waxwing, yes, economists have to be very sharp and witty. considering that the product they sell is trash :)

oh i'm talking to myself. lol.

nah he is a libertarian, liberty is not trash, since it's never free :)

waxwing: you are doing cross-platform testing today i guess?

yup

waxwing: i wonder if it's possible for the auditor to inject a random secret, which can be proven to exist but never revealed in its plaintext form until an auditing session is finished

no, until it needs to be used

it seems there's something flaky about sendspace. really need a better solution for transferring a few hundred kB of data in real time than these dodgy websites.

one solution is using private IRC servers where you can send as much data as you like. how about a little brainstorm dansmith- , oakpacific ?

stega in a picture then imgur? :)

well that's inventive :)

but yeah. something like that. i'm finding that sendspace just sometimes times out preparing the link. this is for like 200kB files.

well, essentially, sendspace is a centralized service, so decentralization is not important

it may be something that's changed on their end. or maybe not. difficult to say.

also it doesn't have to be instant

yes, you're right. it seems to be working fine for various small files, but not for this zip. maybe they have something where they ban zip files, or some more complex algo.

interesting. trying to send tlsnotary-master.zip also failed.

i'm looking for a big picture solution. there needs to be some feedback to confirm that (a) the auditor received the data and (b) it corresponds to the commitments and so it's valid. i think this ought to be a fairly real time feedback.

i think part of the confusion arises because we have the auditor as a kind of quasi-trusted entity. so we're not really P2P, but at the same time we don't treat the auditor as a "server". So it's never that clear what the right communication medium between them ought to be.

Since everything's encrypted, it shouldn't matter that much. Just need something that works. Which ought to be simple , but..

waxwing: what about github?

waxwing, oakpacific: Just tried TLSNotary on windows 8.1, worked really smooth and easy :)

llllllllll, ooh that's a bonus. i was kind of terrified of Win8.

did you get it from github.com/tlsnotary/tlsnotary today?

yes, I am kind of terrified by win8 myself aswell

yes

llllllllll, great. i wiped win8 from my disk immediately when i bought my new laptop, so i couldn't try it :)

It did show cookies for my bank login page, but that's a known issues right?

llllllllll, yes. did you see Set-Cookie in the headers then?

Correct

right. so the concept is that it should be safe if you log out before you press 'Finish'. However I'm not sure if we've really thought it through properly.

the concept being that the cookie is just preserving session state.

That makes sense

llllllllll, so is the info on the page you were auditing good enough for an audit, do you think? or did you just try a random page.

waxwing, I only tried the login page to see if it worked properly

right.

hmm the pattern of what i'm seeing suggests there's some maximum allowed file size. trying to send TLSNotary.pdf (about 500kB) failed.

waxwing, when I try to audit a bank transfer while logged it I get "Exception: WARNING! The server is presenting an invalid certificate. This is most likely an error, although it could be a hacking attempt. Audit aborted.

OK. that means one of a couple of things (a) the server is using a different certificate between different requests (v. unlikely) or (b) there's some bug in the javascript where its' reading the wrong certificate.

llllllllll, was that the only page you tried to audit in the session?

yes

hmm. oh dear. gonna be difficult to debug.

i guess the best info you can give me is, to isolate the error. (1) is it repeatable for that page, (2) can you get it for other pages on the same site.

ah, i have an idea what might be causing it. if my idea is right, it's just kind of a dumb error on my part. it could well be this: the javascript picks up the cert for the page you originally went to (e.g. login page). then when you click through to the statement page, the site is using a different certificate there. the code ought to pick up that change, but maybe i screwed that up. will look into it.

waxwing, ok cool, I get the same error for different pages and different sessions

different pages, different sessions, same site ? but not different sites?

Yes, same site, all when logged in

right, so once you're logged in, this error is persistent. damn this might not be simple. my simplest theory of what's causing it didn't test out.

llllllllll: waxwing maybe let's see if we can find someone else using the same bank

Other sites work fine

llllllllll, just for some background: the idea is that the tlsnotary python script re-creates your browser's http request (under ssl) and fires it off under the hood. However, to keep the security, we have to ask the browser whether the certificate we're given is valid.

So the javascript sends the sha1 hash of the certificate to the python backend, and if the new certificate we get does not match that, we reject it.

so far there was only one site we saw where that didn't work: google.com (and other google sites), because they have some kind of weird load balancing thing.

it is quite reasonable/possible that banks use different certificates for their 'logged in' area; but that shouldn't matter, because when you run the audit you're replicating the page *inside* the logged in area.

waxwing: can we dump the problematic certs when sh*t happens?

oakpacific, well we can dump the sha1 coming from the browser, and we can dump the new cert we're getting.

the exception just gets raised is sha1(new cert) != sha1 from browser

i know

i am just thinking of dumping both certs for debugging purposes

we could do a ssl session dump there though. that's a good point.

oakpacific, yes, true, you can look in the browser. but the cert coming from python will not be prettified sadly.

just hex or binary is all we have at the moment.

whenever i want to study soemthing seriously it's in binary

well, ok, then do a wireshark to get the binary of the original cert :)

now 2 out of 2 users experienced exceptions, that's an unacceptable fialure rate :)

oakpacific, not sure what to do about it. i think i should finish the analysis of sendspace before coming back to this. I would write an issue, but i'm not sure how to be specific without naming the bank (and i can't log in to the bank and reproduce it anyway).

waxwing: how about we compile a checklist of world's 100 largest banks and try to test them one by one, and see how many gets checked in the ned

oakpacific, sure we can compile a list, but only when users try it. we intended this from the early days. but as llllllllll 's example shows, testing the login page only doesn't tell you much.

waxwing: that's what i meant

or we two can do the whole thing :)

oakpacific, right, well, just clarifying.

or maybe we should have some sort of a release first, as lots of banks are not testable without a bigger audience, e.g., the American banks

oakpacific, it's nice to do in stages i think. first test out with, say, 10 people. iron out any gross problems. then a larger number of people. or just organically growing. that type of thing.

waxwing: it's good on paper, but we simply are not able to test a large number of major banks given the status quo

i can find people testing all the major Chinese banks, it's on me

yes. oakpacific , could you do me a favour: test tlsnotary with at least 5 pages, ideally include things like pay.reddit.com (purpose is to make sure the zip file is more than 2-300 kB). And then try to finish the audit and see if it completes correctly (the trace.zip file gets sent).

yes i can

i am getting paranoid that they might be blocking my IP or something.

i guess tomorrow

reddit i can do now

new version again?

doesn't seem likely. small files go through ok.

oakpacific, yes, please, newest version.

self-test includes the zip file delivery as well?

oakpacific, yes

dansmith-: maybe you can include the link to the official repo on your repo page, as it would take quite sometime before Google props it to the top

waxwing: if you meant https://pay.reddit.com, it's successful on the first try

oakpacific, sure. take a look at the size of the trace.zip file. The experiment I'm after is to make that file at least, say, 400 kB and still see if it goes through.

oakpacific, me and llllllllll have been doing a deep dive into the weird case he has. first, the audit works for his bank for most pages, but what we discovered is, you can get a situation where you look at the main transaction page, audit fine no problem, but then you click to isolate one transaction, but maybe it just does some javascript and doesn't load a new page. then you're trying to audit the same page twice, which seems like it might be what

caused the screw up.

I did not anticipate this.

back in a bit

waxwing: if we want to write an exception handling for it, it's not too difficult though

oakpacific, not sure if this is a sign of bitcoin progress or a sign of trouble in chinese real estate :) http://www.bitell.com/t/2051

waxwing: most probably this is not very relevant