0 sats \ 2 replies \ @frostdragon 4 Apr \ parent \ on: I'm Dhruv Bansal, co-founder of Unchained, AMA! AMA
Thanks for taking the time to read and answer my question!
So, I was thinking from the perspective of an attacker being able to leverage a vulnerability that would steal from the app as opposed to other users.
It seems like if I can isolate my application’s payment validation service (similar to the way SSRF is typically mitigated), other vulnerabilities within the application couldn’t be leveraged to access that service and steal from me.
But I hadn’t thought as much about attackers leveraging victim accounts…
But that leads me to the infeasibility of this whole thing in the first place.
It sounds like you’re talking about classes of vulnerabilities that leverage the fact that a browser is happy to automatically make whatever HTTP request the app tells it to. (Fwiw, that doesn’t include all critical severity/zero day vulnerabilities, but that’s a different tangent).
That seems to be based on the idea that LightningInternet browsers will similarly be happy to automatically send payment(request_data).
If that were the case, it’d be INCREDIBLY difficult to convince anyone to join LightningInternet, IMO. I wouldn’t visit ANY website if I had no control over how many requests (payments) are being automatically sent from my browser, no matter how trusted it is. If a single lapse in ethics or security competence can result in a lightning wallet being DRAINED, I’d stick to HTTP apps.
We’d have to build an entirely new internet that functions completely differently that would have an incredibly high security barrier to entry even without the new classes of vulnerabilities that will inevitably emerge.
To me, seems like we can accomplish a lot of the same incentives by building on established security and protocols, and ease into the new unknown a lot more smoothly by simply putting lightning payments into HTTP requests as frequently or infrequently as contextually makes sense.
You're right to frame bitcoin-powered Internet as creating a huge, new space of vulnerabilities. If lightning browsers uncritically call
payment(request_data) then bad stuff will happen. People would have to develop rules to limit carefully what kinds of data they're willing to send and receive. Subversions of those rules, or the systems which enforce those rules, would immediately lead to costly and therefore quickly noticed attacks.Bugs which caused such subversions would not be zero days because they'd be exploited in the wild by their discoverer immediately upon discovery, not hoarded and privately sold in a darkweb market. After all, someone else could find that bug and start profiting from it, exposing it for all to see and squash. The economic incentive (of a blackhat) is to exploit a networking bug immediately before someone else does. This gets bugs fixed faster.
"Data in payments", to use your evocative framing, makes networking more secure by changing the economic incentives of attackers to shorten the lifecycle of bugs. I think this kind of pattern recurs in other areas such as distributed databases. Think of key-value sets and gets in some giant cloud database that is actually just a market. The same zero-day killing behavior will occur there, too. This is how I see a bitcoin-powered Internet emerging over time :)
reply
Interesting perspective. Thanks for sharing! I see what you’re saying a little more about vulnerabilities being exploited immediately…
What you’re proposing reminds me a bit of the scene at the end of Dark KnIght Rises where Bruce Wayne can only make the leap without the rope… More lightheartedly, I call this the Claw of Shame fallacy 😆
In other words, it sounds like you’re saying people will choose lightning internet because it has better security, and it has better security because if it doesn’t, the worst case scenario will happen… and I think I’m either missing some reasoning or missing the technical explanation to justify it, because I’m not sure why people would voluntarily opt in to that in the long run, let alone be a guinea pig…
So I remain curious to see what kinds of solutions people are proposing and building, because I’m all for better security!
reply