Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower) - Thread

BitcoinTalk

From:

satoshi

Subject:

Warning: don't use -server or bitcoind where you web browse (v0.3.2 and lower)

Date:

July 19, 2010 at 16:01:38 UTC

Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser. It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

We're working on a release soon that puts a password on the JSON-RPC interface, but until then, avoid using the -server switch, and don't web browse on the same machine where bitcoind is running.

Update:
The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.

BitcoinTalk

#2

From:

Quantumplation

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 19, 2010 at 16:03:41 UTC

satoshi: How many other developers do you have working with you?

Martin (another forum member and I) were talking about writing a .Net compatible library for integrating bitcoins into other programs.

BitcoinTalk

#3

From:

franzl

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 20, 2010 at 11:07:52 UTC

Quote from: Quantumplation on July 19, 2010, 04:03:41 PM

Martin (another forum member and I) were talking about writing a .Net compatible library for integrating bitcoins into other programs.

I think this is a very good idea! I also think it's important to have a PHP library since this is an important programming language for e-commerce sites. It would help a great deal in acceptance of bitcoin as a currency.

BitcoinTalk

#4

From:

Quantumplation

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 20, 2010 at 16:59:46 UTC

Franzl: >_> I abhor PHP, so I can't help you there, but some day (Completely overwhelmed with projects right now, but some day...) we might write the .net library.

BitcoinTalk

#5

From:

Axcella

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 20, 2010 at 18:52:45 UTC

this is the only computer i have at present i am working on getting a standalone for the bit coin program until then how do i retain the kash if the connection is lost?

BitcoinTalk

#6

From:

fresno

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 21, 2010 at 01:42:34 UTC

Quote

Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser. It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

This sounds like something I would not like to have happen, but what does it mean? Let's face it, we're ALL generating Bitcoins on everything we can get hold of. What is the potential damage, in language my Mom might understand?

BitcoinTalk

#7

From:

sirius

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 21, 2010 at 05:53:31 UTC

Quote from: fresno on July 21, 2010, 01:42:34 AM

Quote

Don't use the -server or -daemon switch or run bitcoind on a machine where you use a web browser. It opens port 8332 on 127.0.0.1, the local loopback address, and you wouldn't think that web browsers could cross-site access it, but it is possible.

This sounds like something I would not like to have happen, but what does it mean? Let's face it, we're ALL generating Bitcoins on everything we can get hold of. What is the potential damage, in language my Mom might understand?

Malicious websites could have a javascript that steals all your coins.

BitcoinTalk

#8

From:

Gavin Andresen

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 21, 2010 at 15:01:01 UTC

You can still generate bitcoins, just don't run bitcoind or bitcoin -server or bitcoin -daemon on machine that you use to browse the Web.

As sirius says, if you do you could browse to a website that empties your Bitcoin wallet without your knowledge or permission.

BitcoinTalk

#9

From:

fresno

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 21, 2010 at 15:27:49 UTC

I'm full of dumb questions today: Are there any other conceivable problems? And would the daemon be protected of it were on a VM and/or chrooted? Thanks.

BitcoinTalk

#10

From:

Gavin Andresen

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 21, 2010 at 16:10:32 UTC

chroot: won't protect you.

Running as a separate VM: I think will protect you. But I thought browsers wouldn't allow XMLHTTPRequests to "localhost" from web pages fetched from the web, so my advice would be to test it. See if you can talk to the Bitcoin daemon from another VM on the same machine by running "bitcoind getinfo" or "bitcoin getinfo" on the non-bitcoin-vm.

BitcoinTalk

#11

From:

satoshi

Subject:

Re: Warning: don't use -server or bitcoind on a machine where you web browse

Date:

July 24, 2010 at 02:29:09 UTC

The JSON-RPC HTTP authentication feature in 0.3.3 solves this problem.