You have reached the BTC Piñata.


BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.


BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on Xen, and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge runs until the above address no longer contains the 10 bitcoins it started with, or until we lose interest.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. Now, we want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.


Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.


This is the CA:

-----BEGIN CERTIFICATE-----
MIIE2DCCAsCgAwIBAgIIOeRmijvvs+EwDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE
AwwNQlRDIFBpbmF0YSBDQTAeFw0xNzA1MjkwOTEyMzRaFw0xODA1MjkwOTEyMzRa
MBgxFjAUBgNVBAMMDUJUQyBQaW5hdGEgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4IC
DwAwggIKAoICAQDYFTm5m13ts97ATnf14ef/93bkk3p7gxnTnlsHHLU7hSKYTe7t
BFE1d/9cS+V9wNbdFXKfdDe8DvKgk8rRrIl5VYgMViHBMNBS5/rFT8ujIRb5H7Bq
m7bpupU0iSn7Bsfl6OTPkjntc/CH8vnJAhGx77NFNI90MILADpsoJBiiYKLe/bRk
ZE7k7qFeFvfV/QGXSW2iFahXjwwYOjlKToJIq8YPOECOftPzmScP/kGOzYG3d5UY
QElUhE3jBr4eqz2NBYiXFQrrhaa+zWHXmxfIEwfm0eh1yLrGNg4j9B6zRe+KR8Y5
zUKOSStYlYIQGts4nz6lMy57qU3J70iAB3IOAfuBrDC6BvQqPuU2R73cPBnuVkMK
NW/Wwppezi8vLe0pPS6mEAbnPWwAmFchhg8VdraE6SJRKA+ZkkmKFglMrykJJN07
2pIZ5cJxA3fbRCxxzZPt+Gd54s9tQg3t7SJ/I8Klrvaga6NcUMA72CsLJ5K27oUw
Qf/hfnbXj8V7yEjpwQh7RQgnP6aIoWoROj3hSU+fTzDe0vey0SiaGA/YaQaw8tVz
6togvlxd3tVK1mgzlCwFnvnaYeRUb+cwoenXS1H0vBVpp0Feu0vbYNZ2ejky+8dC
wwZLHyMIAsbYQ9vhIaRK6KlpI7zxNgxQAJTKeqfIEJjueh557kI5hXT+GwIDAQAB
oyYwJDASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwICBDANBgkqhkiG
9w0BAQsFAAOCAgEAPsNYMsZXjl7a1dWHrUFJmQOIf3DJiw/IJ+iRGvR5uB4kaM+O
nUU4mK3ZTwr78EFzUpf86i7e5MsuBHVoOIMkHmgwnDrDIi+2u4UdqtaTNvIgkp7W
EyjxyksdNtNehlTBEb5vBCo3UcmOfl86Bnda6sYzQfNJaGH6VuAC9ssXjJEiA3FX
uHyPKwDP1yCVEySQI+ZR6OkmgIkNcintVUfklEXyyIVCgGsS2uNmpKTBq8911aCM
jc4iYH2nPcqaHhy3I5JSvHI754gTl4lv1gC93aJ9EQXbzyCSepHYl2ZXIXY2LhTL
ss/jNNL7ZSZXiciuWVcRDxsgJLHYxIW+6UygUJsoJbfgN6toMByN5bUI0pt+8H2f
LM8W0A1s8HNtdmFQX1B5lfzy84NOqqv3fzRu2yW98qbuhtL5Ty8QKtgjDEamPZQv
d3oyo06+QGuAXunk7ZheHncD3fY9E04hnmscHOp/hoWn1spIphgOBSDhwEbQsyHu
fANCcauJkaA3C0F4PN8ftGNTVEekFJde1B3GqXp90mUjEZJG2mV7md+9KS5B0hBT
/8MMjwmZFLQI6f/illqL8pAtwt22aeNA3xmkB+IHswXzTRm7xMc4mXjPPEELP7tm
ABicZicl9lsbvxRC3BEKf+ygDBBWyt1h9JWfmVdGtJDUQFBRfzCvBoQuacs=
-----END CERTIFICATE-----