You have reached the BTC Piñata.
BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.
Here are the rules of the game:
You can connect to port 10000 using TLS. Piñata will send the key and hang up.
You can connect to port 10001 using TCP. Piñata will immediately close the connection and connect back over TLS to port 40001 on the initiating host, send the key, and hang up.
You can connect to port 10002 using TCP. Piñata will initiate a TLS handshake over that channel serving as a client, send the key over TLS, and hang up.
And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.
It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.
Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.
The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge runs until the above address no longer contains the 10 bitcoins it started with, or until we lose interest.
Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. Now, we want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.
We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.
This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.
Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!
If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.
This is the CA:
-----BEGIN CERTIFICATE----- MIIE2DCCAsCgAwIBAgIIZSmAaMV8ESkwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE AwwNQlRDIFBpbmF0YSBDQTAeFw0xNjA2MTkyMTU3MzZaFw0xNzA2MTkyMTU3MzZa MBgxFjAUBgNVBAMMDUJUQyBQaW5hdGEgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC DwAwggIKAoICAQDfghGDOnTebtzZHwxWBFMF5ACvx8VWmyFC/FZW4C0bXdsCjlvq UF/g7+KoPW6O+aTnBVCa3tyR4I5IYj3vj9XI93fmGGo3jk2DlpuhPcgkJd21O9XS nV/F7kEHh+7OACYiznwsEMG8JAOqTZcysj7ONuQbdwjhFJoZJ6J1U+Ob3tJ4kF0y JoI3D0+9hV2X8wi5YMqtcoWB4AMthj34dn0TUpfClFLD5KKV25dCS5O0YV3GP2uK ky6vPAhUvinDPWnnFyCtiNlgOTS2oPyk2c6c73ICqtu2+zZJOf7mJk8+ZExopyOZ hOg1LHnKHTvaT3u+dMSPBlDx7ae4AnbETdRgdjX5Ua7QYPvYxx9Edj9fbq1wN6Iy 2fSCtqyyjk2iRfQJIPBf5s0aggz0KXpjd5Eq/0cFCjQwiqufM9t3VfnunS3/CZs6 mQTxeYSK64sh7f5Aut8o3Gt5wsq8rxwfZTwMvGfMzUyYdHnJgkqnmWcZJgcykwPe ObQhFx0Lxuk7CVtqMuFhZlMcwpkuhbCOabwwN554RFHcOWCpo0VHrp9GrETD/KDi uqIS/1DEhQy0A9JdHEa96CQahA7hhkSNnrClGgCcZYuAPLdtI2DHZvQPest+BYXq cvNAvq+HRUXt/UfFW/LCg8CTwCXj9sV0zy8+RMdVWZTgi7RaqfW1IpHIQQIDAQAB oyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwICBDANBgkqhkiG 9w0BAQsFAAOCAgEAHDw7TWGqe5q8R2ee1HcNWF7nynY8IgHzKCn/BvZ5P0UOghSL Z6UvMNaigehmw0eH9N+RsE6cejfPOLuAAQfz7KqQpYdSwFcht18eWdbxpSjUry+j cyuzs/oqOUjSBsLEpLdsliKk+UyX6IvJdTZRBuakpMXyr1Y/+7xAUovH84x5yVXf P1cma7ZhPTo0U1wdd+boi81t4oXuFf2vtmq35qkaTgUZs1rGahylMT6ZdUS/PrEg +2mXqhh8rPE6OiT+fSLaA6PcJLuXmyNOBkHapbJr3AEKO1Se+8rSwzuRK3JHK8zQ 0PpDb8ViMz5hl1lsYRkoW4pdxF3/Wmf0ADumk0XtckUNlfruKx2oMQ/ReHFtBaX7 oiyN49RhkgK8w80mXd4dbXPMz3RoEdzIUsvlNaTT54ALCW7GCz2fbvFw4UvMMrLq AvEuyFYSdIxgZQI+YFbqL98fcrI0O7ViIEDPhgKfaqn9/K/IozJaGPZe7gi1lAh7 uTh4ZtF73NDcnSWxHSkQdx90sxEJfhkk2lfciWkA0bPEbMw7UzML+glv31EnHJwH z4M0N4SieiJuvSNgmGWvcKyc345KVB795lGVOFmS5lYBpCyZxYZ3u+SXYyevJSAe qIejssCFULW7/ZylVcH5mB5dBRMvlYrF2d1ayw7UkjIBRZ2Ge+37TGnhcLY= -----END CERTIFICATE-----