Zeronet: Case (in)sensitivity of addresses
Step 1: Please describe your environment
- ZeroNet version: master
- Platform: various linux distros
Step 2: Describe the problem:
Trying to load address which coincides with a registered one up to letter case leads to weird behaviour. In particular, the page loads forever, only changing its title to one from original page (if it's loaded)
Steps to reproduce:
- take any site address
- load/try to load the address
- change case of one (or many) of its alphabetic components
- try to load that one
Observed Results:
There is no attempt to load the second address, the page is empty and "loads" forever
E.g. http://127.0.0.1:43110/1HeLLo4uzjaLetFx6NH3PMwFP3qbRbTf3d
Expected Results:
Sites with different addresses should be independent of each other
caryoscelus
All 7 comments
The problem is the case-insensitive file systems does not allow 1Address and 1ADDRESS file/directory to exists in the same directory.
But we should show an error instead of lack of response.
HelloZeroNet
on 23 Sep 2019
There is problem with using either case sensitive or case insensitive addresses.
Problem with using case sensitive addresses (two addresses with different cases will be two sites):
- Filesystem could be case insensitive.
- Domain name is case insensitive (and converted to lowercase). See #2087 for details why could this be problem.
Problem with using case insensitive addresses (two addresses with different cases will be same site):
- Bitcoin addresses are case sensitive. This means that if address has different case than original, it is different from original and can also be not valid.
filips123
on 23 Sep 2019
Confirm. Zeronet log:
[12:45:02] - UiWSGIHandler error: TypeError: memoryview: a bytes-like object is required, not 'str' in UiServer.py line 41 > pywsgi.py line 924 > pywsgi.py line 910 > pywsgi.py line 757 > pywsgi.py line 778 > pywsgi.py line 742 > pywsgi.py line 704 > _socket3.py line 457 > _socket3.py line 45
twerq
on 23 Sep 2019
BTC address contains last 4 bytes as a checksum. In my opinion, we should check if an address is correct. Please check this python code https://rosettacode.org/wiki/Bitcoin/address_validation#Python
Validation of BTC address will prevent point 3 - change case of one (or many) of its alphabetic components
krzotr
on 23 Sep 2019
Are we happy with deeming the odds of having an address coalition that's just has 1 capitalization differences not an issue and insignificant?
That's the biggest question here IMO
AKA what happen if an VALID REAL address with 1 capital character collides, how would we resolve said edge cases
and, can this be exploited? say loading a malicious website first rendering the legitimate website unreachable, if possible, what's the odds and cost to perform such attack?
Thunder33345
on 24 Sep 2019
@Thunder33345 Yes, this could happen but it is nearly impossible:
The probability that a mistyped address is accepted as being valid is 1 in 232, that is, approximately 1 in 4.29 billion.
(From Bitcoin Wiki)
filips123
on 24 Sep 2019
just for others: i did not meant mistyped?
but rather 1 capitalization differences
that's not mistyped but rather maliciously craft a URL that have same letters different capitalizations
but figure it would be pretty small to match another address
Thunder33345
on 1 Oct 2019
Related issues
DaniellMesquita
路
3Comments
Forbo
路
3Comments
unsystemizer
路
4Comments
cxgreat2014
路
4Comments
yurkobb
路
3Comments
Most helpful comment
BTC address contains last 4 bytes as a checksum. In my opinion, we should check if an address is correct. Please check this python code https://rosettacode.org/wiki/Bitcoin/address_validation#Python
Validation of BTC address will prevent point 3 -
change case of one (or many) of its alphabetic components