Discourage unsecured endpoint

1 files changed, 0 insertions, 4 deletions

diff --git a/bip-xxxx.mediawiki b/bip-xxxx.mediawiki
index b1fb4bd..31ecaa5 100644
--- a/bip-xxxx.mediawiki
+++ b/bip-xxxx.mediawiki
@@ -98,8 +98,6 @@ To ensure compatibility with web-wallets and browser-based-tools, all responses
 
 The sender must ensure that the url refers to a scheme or protocol using authenticated encryption, for example TLS with certificate validation, or a .onion link to a hidden service whose public key identifier has already been communicated via a TLS connection. Senders SHOULD NOT accept a url representing an unencrypted or unauthenticated connection.
 
-Unauthenticated transport is authorized, but [[#output-substitution|Output substitution]] should be disallowed in this case.
-
 ===Receiver's well known errors===
 
 If for some reason the receiver is unable to create a payjoin proposal, it will reply with a HTTP code different than 200.
@@ -282,8 +280,6 @@ On top of this the receiver can poison analysis by randomly faking a round amoun
 The receiver is free to change the output paying to himself.
 For example, if the sender's scriptPubKey type is P2WPKH while the receiver's payment output in the original PSBT is P2SH, then the receiver can substitute the payment output to be P2WPKH to match the sender's scriptPubKey type.
 
-Note that this MUST NOT be authorized over an unauthenticated payjoin endpoint such as http on clearnet, as a man-in-the-middle attacker could substitute with his own address.
-
 ===Impacted heuristics===
 
 Our proposal of payjoin is breaking the following blockchain heuristics: