Security PSA: Ensure strong credentials in nu.conf if using RPC (server=1)


#1

In light of Electrum versions 2.6–3.0.3 allowing any website to access its API and transfer funds from your wallet if weakly protected. No password for your Electrum wallet means you can lose all funds to any website running JavaScript. Using a password means any website must guess or bruteforce the password before they can steal funds (or change Electrum settings).

Immediately close Electrum, then don’t panic. — Download version 3.0.5, and make sure to verify it against the developer’s PGP signature (preferably kept from before). https://electrum.org

NuBits Wallet

If you have enabled the JSON-RPC API by setting server=1 in nu.conf, you must make sure to use strong credentials for rpcuser= and rpcpassword=.

It’s easy to set insecure RPC credentials for local use and assume access from the internet won’t be allowed, or neglect the risk out of ignorance, perhaps in a hurry to get it to work and then forgetting about it.

Regular use that prompts enabling the RPC is to control NuBits Wallet in a terminal shell with ./nud getinfo etc., and the wallet recommends strong credentials. You are only at risk if you set your own RPC password. Please use the password suggested by ./nud <command> when rpcpassword is not set in nu.conf.

Check RPC configuration for NuBits Wallet

  1. Close NuBits Wallet.
  2. Locate nu.conf as instructed at https://nubits.com/wallet-manual.
  3. Read nu.conf and look for the text: server=1
    a. If you need the RPC, make sure that rpcpassword= is set to a strong password.
    b. If you don’t need the RPC, and it’s enabled, remove server=1 from nu.conf.

API security

We are not certain of the entire impact, but have no reason to believe the NuBits Wallet RPC is insecure when used with a proper password. One concern is privacy, if a website can know you’re running the wallet.

Electrum’s issue is illustrated well by https://twitter.com/h43z/status/950141260521787392.

Electrum by default allowed access even for password-less wallets. NuBits Wallet requires user action to enable the RPC and recommends a secure password.


#2

I suppose that a normal minter does not need “server=1” but can you confirm?


#3

If you use the Nu daemon as a GUI Program just for Minting, you won’t need to user server=1 in your conf file.
If you use a command line to type commands to interact with your Nu daemon you will need server=1 as it enables the JSON RPC interface and exposes the API detailed here https://nubits.com/api.


#4

Got it. Tks!


#5

btw whwat would be the max length of rpcpassword ?


#6

It’s a C++ string so it will be system dependent (string.max_size()), but huge enough to not really worry about.
http://en.cppreference.com/w/cpp/string/basic_string/max_size