9
3
How secure is calling bitcoind through a JSON-RPC? For example, if I run it on one of my computers, and try calling it from another computer (provided neither of them are compromised), can someone intercept my communication and gain my RPC username and password?
10
Yes, they can. Unless you enable RPC-over-SSL, the username and password are send Base64 encoded as a header in the HTTP request, which is easily decoded.
4
Here is how you get RPC SSL to work...
rpcssl=1
Now here is the secret...
Your server.key and server.cert must be placed inside your /bitcoin/testnet folder, or in my case /bitcoin/testnet3 folder.
In my case I have a server.pem file instead of server.cert. A chained security certificate file.
2While this may be helpful information, this doesn't seem to address the question "How secure is calling bitcoind's JSON-RPC?". – Murch – 2015-05-30T11:48:09.647
1https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemon provides a guide to setting up RPC-over-SSL but I couldn't get it to work for me. I was trying to run a "bitcoin-qt -server" and access it using RPC-over-SSL from another host on the LAN. I could access it from the host it was running on, but not remotely. I added a suitable "-rpcallowip=" flag, and -rpcssl=1, but was probably doing something wrong. – Chris Moore – 2012-02-12T05:13:30.590