LNURL-pay: Drop metadata description hash validation#234
LNURL-pay: Drop metadata description hash validation#234callebtc wants to merge 3 commits intolnurl:ludsfrom
Conversation
callebtc
changed the title
callebtc
changed the title
|
ACK from my end. Less hassle dealing with LN implementation support and much easier to build some more complex flows. |
|
ACK. Current Wallet, in foresight of this PR, never implemented this check. |
|
ACK. Will support this change in Zeus. |
as discussed in: lnurl/luds#234
|
ACK Alby will support this in the next release. |
|
Awesome, description_hash got in the way a bunch |
|
Looks like there is broad support for this PR! Anything that should be considered before it can be merged? |
|
👍 |
|
My only worry is that services will drop support for this too soon and start breaking wallets that haven't yet. |
|
ACK, committing the lnurl-pay metadata to the invoice does not bring additional security AFAICT. The service is trusted anyway. Next Phoenix release will remove this check. |
See lnurl/luds#234 This validation brings additional complexity for no real purposes.
The description hash validation is no longer required for lnurl pay. lnurl/luds#234
|
I would like to offer some critical feedback on the proposed change, particularly focusing on a crucial aspect of the lud06: In summary:
As an alternative, I suggest making the description hash optional and introducing an additional step for user confirmation when the commitment is absent. |
|
NACK. I do not see a single valid argument here. Joining to @NCrashed. I don't care about imaginary services and wallets that would benefit from doing less work. The developer's job is to ensure that the digest corresponds to the received data. The current protocol ensures that the previous round of communication corresponds to the next one, and the wallet checks for the user in the background that THIS invoice is for THAT menu inputs + information. The thesis about trusted/non-trusted service is entirely irrelevant here. If meta contained some important info there is no basis for building trust for random user-service as well as no hash to prove misbehaving or indicating for the user that the service showed one info and asked to pay for another.
The check is not related to invoices but rather to any data put into Metadata.
Yes. If the service wants to receive payment and doesn't provide any services or goods, the protocol is irrelevant, but this change enables a whole spectrum of situations when the service may attempt to cheat just a little bit. For example, let's consider the original purpose of the LNURL pay protocol. Selling channel liquidity. The service may provide in Metadata specific parameters about channel fees, channel size and active period, and node pubkey. It receives the payment for the service and opens the channel of size not 1.5M but 1.499M, fees not 1000 ppm but 1001 ppm. Now good luck catching such dishonest service in every UI of every wallet you meant while saying "it will make everything much easier". Instead, Metadata could be shown once, and |
Could you be specific? What does this prevent in your view? If you could make an explicit example of how this improves a payment flow or how it could be abused, it might be easier to understand what you mean. In my view, if I offer you an invoice, you can choose to pay it or not, that is the only necessary expression of your agreement. The proof of payment is the preimage you'll receive. What else other than authenticated transport (https) do you need to be sure that this particular invoice is from the server you've actually asked the invoice from? And what misconduct does the payment hash prevent? |
This is a good example of a case that almost nobody cares about but it could be absolutely implemented even if the requirement would be dropped. If you run such a service, put the terms of the contract into the description hash and make your user read the contract and explicitly agree to it. That's the only way to make sure that both parties explicitly agree. I'm guessing that 99.99% of lnurl payments are without any explicit commitments that the user cares about, they just want to pay. I haven't observed a single case where a dispute was resolved by comparing descriptions and hashes. For those cases where it's relevant: just do it. |
I provided an example.
Checking a hash against a description that is stored or provided off-band may be more relevant for automated payments. It may be important for the client side, too.
The point being made is not about faking the server. The point being made is about the server that provides some imprecise/non-deterministic data.
Not relevant at all for machine-machine interfaces.
It wouldn't happen with the former rules, even if it were the case. There would not be any dispute at all. |
|
Hi! 🙂 Is there any chance that this could be merged. Or if this is still a concern:
Could we then add at least a deprecation note to the spec? I was not aware of this PR and (as a sending service) implemented this check and was wondering why more and more receivers (LN address owners) do not provide the correct tag Until someone (@reneaaron , thanks for that 🙏 ) pointed me to this PR here. 🙈 |
|
Merging the PR would really make sense. Wallets that implement the spec as is already experience payment failures. |
i agree with adding a deprecating note to the spec, but i wouldn't remove that feature completely, how about making the check optional and the users signal that he want to have it checked, default is no check? |
|
Valet now supports both protocols and it is able to check hash against description.
At least recently I've seen few more use cases for this feature, mostly for cross-protocol capabilities, so I keep telling it was a mistake to remove this from the spec. |
|
It is even wrong from the start to me.
Hash to Description is a commitment to the intent/contract/information provided earlier and not to identities. So whole message somehow irrelevant. |
|
@evd0kim @dni Now to the suggestion to support both. Don't get me wrong, if this is a real security issue and I just don't get it, then I strongly support a warning. But if it is just about signaling an intention and only the intention can be cryptograpically verified, but not the final action, we are better off without a warning. |
|
#96 so this is one usecase of lud-18 |
|
Hi! 🙂 I'm on board with @michaelWuensch on this. I don’t see how setting the
Yes, it acts as a commitment—but it’s not a binding commitment. Since no secret is involved, any lightning node could recreate the same commitment. If the LN SERVICE (LNURL web server) were compromised and returned a malicious invoice from a different node, it could still include the same This suggests that preventing such an attack is not the purpose of this feature. So, what is the actual attack scenario which gets prevented by adding this tag |
|
The only benefit I can see is that in a lud-18 flow you have proof that the service actually received the identity data you sent. |
|
I think it's the same when looking to @evd0kim's example from above:
I’d really love to understand how the It just gives the payer the security that the receiver has actually received the data correctly (without any guarantees what the receiver does with this information or adheres to it). But for "just to be sure that data was transmitted correctly" we have other layers (https, tcp). Do I miss something? 🙂 |
If the host or user puts a secret in description it may contain a secret.
I am not talking about attacks per se. But generally yes, removing description hash check somehow makes protocol less secure if you mean some information provided via description off band.
The point of channel opening example is that there is a payment amount that is fixed in BOLT11 against description with hash. It may prevent something only when wallet does checks. And when it does and something is wrong, the wallet user may prove it otherwise she couldn't. Thanks for the link. Looks like LNURL withdraw scheme.
Well, this is the point of hashes. They should match on the background. I believe LN is capable to facilitate smart contracts logic on top, this PR moves it in entirely opposite direction making LNURL less capable and less "smart". |
16 participants
This PR removes the
description_hashrequirement in LUD06 and LUD18.Background
LNURL-pay requires the
SERVERto provide an invoice with a specificdescription_hash(metadatain LUD06, andmetadata+payerDatain LUD18).WALLETis then supposed to verify that the invoice it receives indeed has thisdescription_hash.Rationale
If I understand correctly, the original intention of this is to make the server commit to the receiver (or receiver+payer) identities. Practically, this doesn't really improve anything: If there was a MITM changing the invoice, they could do so since neither of the data committed to is secret. If the server itself is malicious, they could fake everything as they wish anyway.
Implementing this (possibly redundant) feature is also the biggest challenge when implementing LNURL-pay.
This will also once and for all solve all the issues we have had for years dealing with CLN's requirement to provide the entire description at invoice creation.
I propose to drop this requirement, starting with removing the check
WALLETperforms on the invoice received in the second LNURL-p response.SERVER's who don't want to upgrade, can remain as is.Progress
Supported
Unclear
(please report PRs or test results for more wallets)