You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on Xen, and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge runs until the above address no longer contains the 10 bitcoins it started with, or until we lose interest.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. Now, we want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2TCCAsGgAwIBAgIJAPd+M3YhI8cJMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
BAMMDUJUQyBQaW5hdGEgQ0EwHhcNMTcwNDEzMjAzNDU4WhcNMTgwNDEzMjAzNDU4
WjAYMRYwFAYDVQQDDA1CVEMgUGluYXRhIENBMIICIjANBgkqhkiG9w0BAQEFAAOC
Ag8AMIICCgKCAgEAzp+nSpG7NEzZqVitnrzdCzHM3lsnWs+Ccji6wEaxI8b5W9Lo
bUACWMdaZjnzj1v21l5E+QhXTTSdTjOxlzt11X/oYguH2ZJOYpzF0gCHDMfh4OYn
LWX45htUwTQ9kUHMeRsU2FYD2EbTkQ54hA3qJSru0wlo1gMtXUuWyaB86cRSSrEj
0sXu2dJCVslmZLteYEGxUTUMgaI0L0f1sx+DnNNGfznZkPos0+ggvMXxLt+0C2XL
ghR5M6AqDKOsPrxrKeDpCAPFjSPHtszzxi6UvMGR83ZgHZmFiK8mtZusMp61Ax4a
NQdNGuYLt0vjgMvnqWec9T0D0G+6+lg4akOdlvGdFqcwMHmeX1fKIxR0C9NUdSPW
6lTSXXTCZ68ouvwVLo8vw/s175a2Q47u1/pqMiaITobuk2dusW1dQkxJeOyltFI+
u5rVhYHYd/Gh3jC8g5tqggh9Q3nVsjUxeu5ugQy3TvXBS8ndAY8mnqM2k4VNx5Np
UivqXmE79KY5tvKy5O/QlyhaDQVn7/YJW1aGmd2BRNHsUePbn3lP8V4JuDg1HGgK
/YEy4bTT9iIFj2TkHobB90vQ7J7HfqzKPxzu7mg30NHYGyzEUyqs1m2CwHP0iDjt
Yx+ttDX+OxExyg9kDVrutfTCEx6Z0/bnbPqa7/GZCrZLSMXjf9IwK5sqPZsCAwEA
AaMmMCQwEgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZI
hvcNAQELBQADggIBABfZe7WcLHfm9+cb273qOjEmA/0Lb63VQ8XIXkgx5ob+sGyA
b7t3Zu1ST6l2fpm7qdoGgVRYRTLatuBaeoWd2kAt618KrCVz6EOIt1ub0cOvRAa6
unf9J3bwcuFXfRsJjnmcEFRHhHmUT31QOVhfNtGTEhpMMfcaVQ5nj8x6h9+quItP
ZLFRIHoYH6iseGBPMaktEHaRA71+lGQgaxXH3eQipgk599rEdGPT+gObFsusGp1Q
iH1blH+gFo+PJL2XKbLWZTr8eeOxqnPAATIA0M9HSbnWVcAlbU9w0rdPmjDE24bF
mwZnKlwSegF/lmFcxQ7n3MpSmZIHH+cE7icYqVYU7AObUUe6bNCVADwJ5Tofi1rg
3cIIbDzCnDdhDNzzLBjyiACPlP0KnpUDFWg+GVN7CcrN2A22h5Dr0iLpRQHp1V3O
ShwuNh8cFq4qljNQ9SasB8toDyjPDAhCUQEVvOOwpuM5GYV/Fx0uuNOExvQraSv8
Azjj0JYpuXJw+yrn2aJBNGNI00sj6hMtgh6N2U1dVySlFx9+zgHA613/gWC/LElF
1KnTnC7ujC2jxpAYHZEmu08woSLBr1E30y9cAoEVJ7PLuk7VBJ011QxUtRhCtQgR
gH05h5WD7JqkzPFsVZqDwKWhnlIpZK5cNo5rZAYvPc78xe9zVYZ2C19ROvjy
-----END CERTIFICATE-----