Ethereum: rpc cookie authentication

Ethereum: Ending support for RPC-cookie authentication

An update to the Ethereum protocol specifically designed for local Bitcoin Core (BTC) instances has recently been released. As part of this change, the configuration parameters “rpcuser” and “rpcpassword” were deprecated.

Why did the changes happen?

The Ethereum team discovered a security vulnerability related to the use of cookie-based authentication for RPC connections. In older versions of BTC, these legacy settings allowed users to access their accounts without verifying their identity by asking for a password. This made it easier for unauthorized access to or modification of user credentials.

However, the security and reliability of the Ethereum ecosystem have improved significantly in recent years. The team considered this vulnerability insignificant and decided to switch to more secure authentication methods.

What does this mean for users?

From now on, all locally running Bitcoin Core instances will be configured to use cookie-based authentication by default. This means that if you are currently using the outdated “rpcuser” and “rpcpassword” settings, you need to update the configuration or switch to another authentication method.

What are the implications for users?

As part of this change, some locally running instances may decide to drop existing RPC connections (rpcuser) in favor of cookie-based authentication. In some cases, these instances can be replaced by new, more secure nodes that use a cookie-based authentication protocol.

Note that this change only affects locally running Bitcoin Core instances, not online wallets or other Ethereum applications that use RPC connections for remote access.

What can you do?

If you are using a local instance of BTC, it is recommended that you update your configuration to use cookie-based authentication by default. It may be necessary:

• Updated rpcuser and rpcpassword settings in the configuration file.

• If necessary, switch to another authentication method.

For online wallets or other Ethereum applications that use RPC connections, it is extremely important to ensure that they are using the latest version of the Ethereum client software. Additionally, users should exercise caution when using unverified or weak passwords for their accounts and consider implementing additional security measures to protect their assets.

Appendix

The removal of the “rpcuser” and “rpcpassword” configuration parameters in Bitcoin Core marks an important step forward in improving the security of this ecosystem. While this may require some setup, users can rely on the Ethereum team’s commitment to protecting their assets and providing a secure user experience.