[Bitcoin-development] Proposal to address Bitcoin malware
brian.erdelyi at gmail.com
Sun Feb 1 13:54:08 UTC 2015
> BIP70 is quite safe agains MitB. If user copies URL belonging to other
> merchant, he would see the fact after entering it into his wallet
> application. The only problem is, attacker can buy from the same
> merchant with user's money. (sending him different URL) This can be
> mitigated by merchant setting "memo" to the description of the basket
> and some user info (e.g. address to which goods are sent).
I think BIP 70 does a good job at verifying where the payment request came from. I’m not convinced this is the same as verifying the transaction (ideally OOB).
> But if whole computer is compromised, you're already screwed. Trezor
> should help, but I'm not sure if it supports BIP70.
The reason for OOB verification is if the entire computer is compromised. Again, this may only be possible with a trusted intermediary or a web wallet.
More information about the bitcoin-dev