You have reached the BTC Piñata.

BTC Piñata knows the private key to the bitcoin address 183XuXTTgnfYfKcHbJ4sZeF46a49Fnihdh. If you break the Piñata, you get to keep what's inside.

Here are the rules of the game:

You can connect to port 10000 using TLS. Piñata will send the key and hang up.

You can connect to port 10001 using TCP. Piñata will immediately close the connection and connect back over TLS to port 40001 on the initiating host, send the key, and hang up.

You can connect to port 10002 using TCP. Piñata will initiate a TLS handshake over that channel serving as a client, send the key over TLS, and hang up.

And here's the kicker: in both the client and server roles, Piñata requires the other end to present a certificate. Authentication is performed using standard path validation with a single certificate as the trust anchor. And no, you can't have the certificate key.

It follows that it should be impossible to successfully establish a TLS connection as long as Piñata is working properly. To get the spoils, you have to smash it.

Before you ask: yes, Piñata will talk to itself and you can enjoy watching it do so.

BTC Piñata is a MirageOS unikernel using not quite so broken software. It is written in OCaml, runs directly on FreeBSD VMM (using Solo5), and is using native OCaml TLS and X.509 implementations.

The full list of installed software and a toy unikernel without secrets are available. There is no need to use the old automated tools on Piñata - roll your own instead. This challenge started in February 2015, and will run until the above address no longer contains the 10 bitcoins it started with, or until we lose interest. Update from March 2018: our donors transferred nearly all the bitcoins to other projects.

Why are we doing this? At the beginning of 2014 we started to develop a not quite so broken TLS implementation from scratch. You can read more about it on https://nqsb.io or watch our 31c3 talk about it. We want to boost our confidence in the TLS implementation we've developed and show that robust systems software can be written in a functional language. We recapitulated the first five months of the Piñata.

We are well aware that bounties can only disprove the security of a system, and never prove it. We won't take home the message that we are 'unbreakable', 'correct', and especially not 'secure'. But we don't rely on obscurity and have a fully transparent implementation of a well-known protocol. Our prize is publicly observable in the blockchain. If you observe a transaction, it is taken. So if this contest attracts attention and we are still standing at the end of it, we will gain that extra inch of confidence in our work.

This page is also available via HTTPS. It will present a certificate signed by the same authority that Piñata expects to sign all of the incoming requests, so your browser will complain. The purpose of HTTPS is to allow checking of interoperability with our TLS implementation.

Bitcoins and the hosting for this challenge are sponsored by IPredator, a friendly virtual private network provider!

If you have any results or further questions, don't hesitate to contact us. Address is anything at nqsb dot io.

This is the CA:

-----BEGIN CERTIFICATE----- MIIE3DCCAsSgAwIBAgIJAMv4+Dn8I2hBMA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV BAMMDkJUQyBQacOxYXRhIENBMB4XDTIwMDcyOTEyMDYyOFoXDTIxMDcyOTEyMDYy OFowGTEXMBUGA1UEAwwOQlRDIFBpw7FhdGEgQ0EwggIiMA0GCSqGSIb3DQEBAQUA A4ICDwAwggIKAoICAQDVT2XbFvUB5qIPWzKG7aDAIuivIPDFXv7dfS4yS/fquDzK 5IFS82Oy81iryB3aG7AB8s7oDc/uQIytlMzmhETPaOIui01iif5XikLY9uKoI07f nHrCRQrfMkVQOxT8Ys3wSseaoS6Sbb283iqD63/V967+W1DoSFpfzmoa4vzuurZT EPdjXuRl9lR47WztnO6ahpk2iJOrSPG9QB0yfPWlrA49rt46acLrMqyys/PFrrEE z7uQkkW2IdkaSfi/GcG1AIfNcpi29cEasoku/uSjMzasFwctVoyGswp+jDkh7VEC ZKcqcdtyzy1lg/S/QwdaDkh6RyWkZmAu25HEE+04OUt4bOdhRkBUpDGs+6TC5Uci CEYnll8nFzykNhKRsMDEnQYMnbIrhFHCO9j5sUnSn58vrkK9xCNYfo5N4yVk3/So qybfOtRg1am1+fgD+a6v9Juci5u8gHq/MTNW21MDz7irGWFSt8N2tgVza0VX/QBy u0bVen1g0ByJmDwRYK6KhkXAgN6nVyWSp75oip3Q+hHEaxeL6hlkTCpirtbpAGdC 2rAGEKIbPNeiSzoflDYtoqI0iYtRT4ogNCwqsvmcInb41QkI2Uct8NteXaXOj+Pd QCocAg79t6nLTBp/zYDX5fCXBPYi6w5scV1EpNDWCssuS77tNm+a1c9jNp+l7QID AQABoycwJTAPBgNVHQ8BAf8EBQMDBwQAMBIGA1UdEwEB/wQIMAYBAf8CAQEwDQYJ KoZIhvcNAQELBQADggIBAJRHfZQwD/ZkOj1sEJPUif1vXWDP7MmFpQ+9TlqcjcLW /a7bfNwS5KNNnFc05uEA6Sml4HiG9wKpIzztNNjcpPYyzUUSh9htAgnDsL8m43uj uIHHB4pza56uMDeTkxJUFPH0f7wsxxIZ7pc6r/p5azBVkg3Xe0o86BOP+SLmT6i6 M3jre90R7RLG6NKYN0nQ4aQll8S61E133Swx+atV6qOK7oa+qLKGMaHchk1B28fJ 6ovrVrFSsyYi5RWFULQW1GHA5sA84ApKHNt7nEE0ry8TZKxEt/R8wx0UYHVA8XjG URUDfb5zTVOb5KUZLWjIy5FF+++Qo5QPcNJOODPK1hTNc3H+tJyNajWCk98tQczM o4cVJcday/8SUcLAQMKB5RFEDEz1YHz7Cov+IAv4XHksJwutrveV24NQyG+NdCdu XZEoJZbZRONsQ+POswsDOo9iZLKEjPvIuvDnRnA28wzZEPgU29XDyR5S5q/XEm64 9MdNvSoZx5CVJEVtLujvsYMrcbfvdagHXiAVTVkcmYG+elcGsNluSHJcNM0A7vRx B08eT07Ykxwjw/QlNCmw/wp5Rjjoswc7chdTLEmEf0szibtHriZhf7h3uHuYY55B xCJ/oJ2rDVrYgODRg6S7DYqAVlyxh7biPd4/Q3o2YNyDxK/N7khG8cIxw1Q4t7OH -----END CERTIFICATE-----