#tlsnotary-chat

worth a watch https://www.youtube.com/watch?v=Zq4QCWrvRhI

waxwing: sat through till the end? :)

yeah.

maxwell's beard commands you to pay attention :)

waxwing: now back to implement tls 1.1 and re-org ;)

just running through automated tests on windows.

i see www.gov.uk fly by. there is something orwellian about that site.

did you hear about the new porn rules?

waxwing: yeah

like lots of UK rules, they are eccentric and funny :)

dansmith_btc, don't know if you did much auto-testing on windows

os.kill(auditor_pid,signal.SIGTERM) throws 'WindowsError: [Error 87]'

and same for auditee

i mean it doesn't matter, got a test run sucessful anyway.

loadto file transfer taking too long

PR #82 created. would like at least 1 other person to sanity check before merge.

i can't seem to get Paillier running on my Windows box. I keep getting 'Failed to receive a reply for p_round_ee0' or 'p_link'.

works fine on linux. something to do with processing power? doesn't seem to quite add up.

waxwing, autotesting you pr on linux, i got AssertionError: Fatal error - invalid mac, data not authenticated! for pinterest

is this error debugable? will session folders help?

dansmith_btc, huh, that's .. not something i saw

i mean, not recently since i've fixed the various bugs, anyway

dansmith_btc, which file / line number?

oh in mac check plaintexts, got it

another test run finished ok, bbl

did another test run also successfully (except wikipedia and citizen4 which give the cert error)

wow someone's having fun http://whatcanidoforbitcoin.org/

I found a huge flaw in bc.i wallet which was fixed only a week ago which allowed an arbitrary javascript injection. i dont know who to share it with.

i dont know if it worth making too much noise about and again show bc.i incompetence

wow. i guess you could tell them you found something, but don't know whether anything would come of it.

as you say, all the neg publicity recently doesn't help

the thing is that they've already fixed it a week ago. But they did it on the quiet.

seems like the best you could get from it is a job :)

rather optimistic, admittedly

basically a one-line fix https://github.com/blockchain/My-Wallet/commit/... . They used to allow data to come from non-HTTPS sockets. If you look in the code, this data from the sockets was pasted into the html document without any sanitizing. One could paste any <script> </script> code , including the code which would steal your passwords and such

This applied not only to malicious Tor exit nodes but any rogue ISP or VPN operator.

interesting that it has the same pattern as the other flaw that was found: trying to improve usability at the expense of security.

I only learned about this b/c someone on reddit posted the heads up but then immediately removed the thread https://pay.reddit.com/r/Bitcoin/comments/2o5j7...

I don't know how reddit works, could bc.i ask reddit to remove such unfavourable threads?

thread wasn't deleted; only user was deleted, right?

ok, that makes sense then. I had time to check the user before he deleted - it was a throwaway

still it isn't such a critical error right, as 6to23 says, if it's just getting balances. arguable i guess.

That's the thing that the block info was pasted into the html unsanitized.

don't follow

This function was invoked https://github.com/blockchain/My-Wallet/blob/9d...

you see that tx.hash was injected into the html code

so you mean like tx hashes could be modified?

yes

made into html code

but attacker can only report false data to user, right, it's not a coin stealing attack. is it?

i mean shenanigans are possible i'm sure, just not sure how far it could go

because this is arbitrary code, the attacker would insert <script> steal coins</script> which would get executed in the browser

oh ok. i guess it depends how the coin spending part is encapsulated. but basically, yeah, script insertion, good point.