build: disable BIP70 support by default

[fanquake]

Disable BIP70 support in the GUI by default for 0.19.0 (for eventual removal in 0.20.0?).

Users who want to compile with BIP70 support enabled can pass --enable-bip70 to ./configure.

I've inverted the current --disable-bip70 test to instead pass --enable-bip70.

Tested configurations on macOS (protobuf installed with brew).
Protobuf available and ./configure:

Options used to compile and link:
  with wallet   = yes
  with gui / qt = yes
    with bip70  = no

Protobuf available and ./configure --enable-bip70:

Options used to compile and link:
  with wallet   = yes
  with gui / qt = yes
    with bip70  = yes

Protobuf not available (i.e brew unlink protobuf) and ./configure:

Options used to compile and link:
  with wallet   = yes
  with gui / qt = yes
    with bip70  = no

Protobuf not available and ./configure --enable-bip70:

checking whether to build test_bitcoin-qt... yes
checking whether to build BIP70 support... configure: error: protobuf missing

TODO:

• Remove protobuf from other Travis builds
• Documentation updates (mention that protobuf is now optional)?
• Could split release notes into GUI and build

[jonasschnelli]

Concept ACK

• IMO travis (not all jobs though) should build with BIP70 as long as the feature is available.
• Could we remove protobuf from the depends-build in the same pull?

[Sjors]

So is this removing BIP70 from the release as well? I'm reluctant to turn it off for developers by default while still shipping it. At minimum Travis should continue to check it in that case. But even then, GUI test coverage is too low to rely on that.

[jonasschnelli]

So is this removing BIP70 from the release as well?

Not for the release but for the gitian built binaries. We could re-add the BIP70 support to the gitian build. But as this is, it will disable BIP70 in gitian.

[jameshilliard]

I would recommend holding off on disabling support for BIP70 for release binaries until all major merchant processors have stopped requiring it. Dropping BIP70 support before the merchant payment processors stop requiring it would incentivize users to switch to less secure wallets that have BIP70 implementations with known unpatched vulnerabilities.

I would instead recommend making the deprecation warning more aggressive, maybe add to the deprecation warning that it's recommended users contact/inform the merchant that they are using an deprecated and insecure protocol.

Unfortunately the largest merchant payment processor that requires BIP70 is still publishing misinformation in regards to the security of BIP70(such as disproven claims that BIP70 improves protection against MITM attacks) so it may be necessary in the deprecation warning to indicate that merchants should not be trusted to provide accurate information about BIP70 and that users should not follow any merchant recommendations to switch wallets.

[luke-jr]

@jameshilliard Do any merchants require BIP70 at this point? (A particular payment processor claims it does, but AFAIK their implementation is broken and already doesn't work with Core.)

[jameshilliard]

Do any merchants require BIP70 at this point? (A particular payment processor claims it does, but AFAIK their implementation is broken and already doesn't work with Core.)

Well Core can make payments to that particular processor, the incompatible/non-standard part of their implementation introduces an unfixed security vulnerability but it doesn't seem to affect the ability to send payments(due to the incompatible/non-standard part being after the payment is broadcast by Core to the network).

My worry is that prematurely removing BIP70 in Core would result in users switching to vulnerable wallets when they see the error message indicating they can't make a payment.

Having a warning message encourage users to complain to the merchant about using a deprecated/insecure protocol on the other hand would help increase their support costs for processing BIP70 transactions which is the main reason they refuse to fix their security vulnerability or support BIP21. The idea is essentially to have the warning make their support costs for BIP21 lower than their BIP70 support costs by increasing merchant/customer complaints and support costs for BIP70.

[luke-jr]

Hate to say it, but we should probably do a release with something like #15064 before disabling BIP70 by default... :/

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

No conflicts as of last run.

[laanwj]

ACK for 0.19.0

[TheBlueMatt]

Concept ACK

[achow101]

ACK c53da7c5f166a95f3ae37f817f8cd7b94812077a

Tested that a build with the default configure does not download BIP 70 requests.

[DrahtBot]

Gitian builds for commit 00dad5e (master):

• b149f5b01c0d113f85c2ee650c314006... bitcoin-0.18.99-aarch64-linux-gnu-debug.tar.gz
• a0bacbc9934a0c10a1cb359cfa8fddaa... bitcoin-0.18.99-aarch64-linux-gnu.tar.gz
• bdab406041e4eca0726a34dfce718cf5... bitcoin-0.18.99-arm-linux-gnueabihf-debug.tar.gz
• 66c1db178a6098465771e7a0c279e64a... bitcoin-0.18.99-arm-linux-gnueabihf.tar.gz
• 315ed9f4a534fb2951b7cb81cf3ffdf6... bitcoin-0.18.99-i686-pc-linux-gnu-debug.tar.gz
• 0ba7846c7a8f3913148deb6921a44cfb... bitcoin-0.18.99-i686-pc-linux-gnu.tar.gz
• 76273745d51891a300e78909ba6d8f0c... bitcoin-0.18.99-osx-unsigned.dmg
• d35b90dfce7cb61eb2964f9185f41e96... bitcoin-0.18.99-osx64.tar.gz
• 7d03d96d55a9fabba5cfe636ec519fda... bitcoin-0.18.99-riscv64-linux-gnu-debug.tar.gz
• b15a87a55f407ad4d62ecf38249196e7... bitcoin-0.18.99-riscv64-linux-gnu.tar.gz
• c8835b0908c3ee840d0c7582735e5bbf... bitcoin-0.18.99-win64-debug.zip
• e9f28785ac13675d35d040337a06c968... bitcoin-0.18.99-win64-setup-unsigned.exe
• 62ffb56bf8cb25c43fe353620a30a863... bitcoin-0.18.99-win64.zip
• 865b1f96c5be5c712ffaae46d2b29f97... bitcoin-0.18.99-x86_64-linux-gnu-debug.tar.gz
• 86b5c6befc680321fcd4ec434c7b4052... bitcoin-0.18.99-x86_64-linux-gnu.tar.gz
• 39d82b2a6eae55ae48251fc785568b8b... bitcoin-0.18.99.tar.gz
• 6719636660dfdf3926bca8dd60a19b01... bitcoin-core-linux-0.19-res.yml
• b816242aa91c351ca6d30eaf83445566... bitcoin-core-osx-0.19-res.yml
• 5ad66ab6ec20cad7c5a40c1acd75a140... bitcoin-core-win-0.19-res.yml
• 22ea471f4f174f89fedeccaeeee93223... linux-build.log
• 9eeccaf3cebba3096e0a684187113ef9... osx-build.log
• 5386f3866b1d25cd147cee26036aa844... win-build.log

Gitian builds for commit 991b570e11fc3a18bb65267de19628723b248ba5 (master and this pull):

• df322cb1f63ed5f09f96e2dd9b20696c... bitcoin-0.18.99-aarch64-linux-gnu-debug.tar.gz
• c851fb2576f3376e10f88c88757188e7... bitcoin-0.18.99-aarch64-linux-gnu.tar.gz
• 4d7b251ae4fa36f088ea376124af1279... bitcoin-0.18.99-arm-linux-gnueabihf-debug.tar.gz
• b15503d4dc4b728e940f5b0dfdf3dc37... bitcoin-0.18.99-arm-linux-gnueabihf.tar.gz
• 6003a75a2e75246e3481e9f41fe90d0f... bitcoin-0.18.99-i686-pc-linux-gnu-debug.tar.gz
• 1eb1f97ead90e2f80769a9346f1bf716... bitcoin-0.18.99-i686-pc-linux-gnu.tar.gz
• cd8be10d410189ebb5375b7b7aca2afa... bitcoin-0.18.99-osx-unsigned.dmg
• dac533754c216225e13d1a5e595b5a4a... bitcoin-0.18.99-osx64.tar.gz
• f3ddc500619fedd93dbc484e1a1a2649... bitcoin-0.18.99-riscv64-linux-gnu-debug.tar.gz
• 5a7968c57c3e0fb4319e51a77d42b1f1... bitcoin-0.18.99-riscv64-linux-gnu.tar.gz
• 446f0af62d360e6f5d382df612822b19... bitcoin-0.18.99-win64-debug.zip
• 28819f7c58e16da45e7558ceb7a8dc50... bitcoin-0.18.99-win64-setup-unsigned.exe
• 6fdb324b19eeb0e562aa1f88bf82836a... bitcoin-0.18.99-win64.zip
• 23282177ae91d1dcf865e02fdee029db... bitcoin-0.18.99-x86_64-linux-gnu-debug.tar.gz
• edf9052b87ce4f068ba5922f0aed5307... bitcoin-0.18.99-x86_64-linux-gnu.tar.gz
• 53c1c936ccee1e28a7a91b4dc7234bb5... bitcoin-0.18.99.tar.gz
• 13bc491c14ee16010844659f5aca6fc9... bitcoin-core-linux-0.19-res.yml
• e5decfe8692e09296193273aa3256ad0... bitcoin-core-linux-0.19-res.yml.diff
• 4570096b05effc4f5bbc23a7bebb7f75... bitcoin-core-osx-0.19-res.yml
• 973808e15b1ffc9271b14bdf8e51ce8a... bitcoin-core-osx-0.19-res.yml.diff
• c3cf41f4a54c6103c68fc26394c2f6a8... bitcoin-core-win-0.19-res.yml
• ef95101b1bfee3ccea4d3134d2681d59... bitcoin-core-win-0.19-res.yml.diff
• 3b6cf93c7c4efe83b0f3733abeb50d01... linux-build.log
• 29f62a7882792568fa740c41c17be86f... linux-build.log.diff
• 96e57d810c1efac1c275b82eab12728d... osx-build.log
• e8272538ccab68ee1143a1fe532f346f... osx-build.log.diff
• da3415bc436d436add0adc95088979a5... win-build.log
• fffd20d144a617b73b7103439cb895c5... win-build.log.diff

[fanquake]

Should probably change the help string to --enable-bip70 so it is more comprehensible.

Done & rebased. Also added a commit to specify Protobuf as optional in the build docs.

[jameshilliard]

I think we need something like #16858 before merging this so that users don't switch to BIP70 compatible wallets with insecure BIP70 implementations.

[laanwj]

@jameshilliard I agree that would be nice to have, but I don't personally think that's enough reason to make this miss the 0.19 deadline.

[jameshilliard]

@laanwj Should we be able to get something like #16858 in by the deadline as well since it should be a trivial change?

[elichai]

ACK e09913f Read the autotools changes. awesome that this removes the protobuf requirement.

One thing i'm not sure I get is the change to the 00_setup_env_i686.sh test, from not using bip70 to using it.

[maflcko]

awesome that this removes the protobuf requirement.

protobuf is still required when BIP70 is compiled and was never required when BIP70 is not compiled.

One thing i'm not sure I get is the change to the 00_setup_env_i686.sh test, from not using bip70 to using it.

While we disable it by default, the option still exists and at least one ci config should build it

[practicalswift]

ACK e09913f -- diff looks correct

Smaller attack surface is better!

[shesek]

@gmaxwell wrote a thoughtful comment on reddit explaining some of the motives behind this decision and the issues surrounding BIP 70. I thought it would be useful to copy this here for future reference:

BIP70 has resulted in remotely exploitable vulnerabilities that would allow an attacker to steal the wallet's private keys.

BIP70 has had multiple serious privacy vulnerabilities, and the design of BIP70 where the client makes a connection to a requester specified host is generally prone to additional privacy vulnerabilities.

BIP70 requires access to a relatively complete x509 implementation as well as a TLS implementation, tens to hundreds of thousands of lines of security critical code that get exposed to the network.

BIP70 support has been blocking the removal of openssl as a dependency of the Bitcoin software. OpenSSL has a half dozen times or so been the origin of needing to perform short notice emergency upgrades of the software. Emergency upgrades deprive users of their own free choice of software and are an attack vector for introducing vulnerabilities. Additional in some cases OpenSSL's updates have come in the form of an opaque monolithic path that was hundreds of thousands of lines long, making actual review of their changes effectively impossible.

Bitpay's original incompatible modified version of BIP70, which was never used in Bitcoin Core but would have been needed for bitpay compatibility, introduced a serious vulnerability which which would allow bitpay (or someone who compromised their systems) to steal users coins or also just accidentally and almost invisibly take them via an easy mistake.

BIP70's implementation in bitcoin is extensively tied into the GUI and so uniform functionality cannot be provided for the RPC or CLI without essentially rewriting it, an effort that would not be justified given that the support is, as far as anyone can tell, largely unused. The lack of an automatable interface to it also makes it very difficult to subject to automated testing. The GUI tie-in also makes it difficult to separate BIP70 into another process in order to reduce the risk from vulnerabilities in the bip70 code. BIP70 also creates a dependency on protobuf, another piece of large network exposed code that could result in vulnerabilities or incompatibilities.

So, in summary: BIP70 in Core is largely unused, the implementation in Core has never been compatible with the incompatible version used by the only well known user (a company started using it after a decision had been made to remove it... which delayed the removal to see what would happen). BIP70's design is not particularly fit-for-purpose, it doesn't accomplish what people wanted it to do (thus the incompatible proprietary modifications and the lack of adoption), and the implementation has been a repeated source of privacy and security vulnerabilities. Attempts to improve BIP70 have been the source of security vulnerabilities. BIP70's implementation also requires pulling in an enormous amount of third party cryptographic code, which again, have frequently been the source of security vulnerabilities and emergency updates for the software.

And sure, lots of people justifiably dislike Bitpay-- but the removal of BIP70 started before bitpay was even using it and has essentially nothing to do with them beyond the fact that their usage, almost alone, of it isn't perceived to be enough justification to take the ongoing cost and risk of continuing to support it.

Of course, if you want to continue to personally use and support it-- you're free to do so. But it isn't reasonable to demand that other parties do so at their own cost, particularly without a clear justification as to how it benefits their users.