Sender: Bazyli Zygan <bazyli@314t.com>
Date: Tue, 30 Jul 2013 14:01:39 +0200
From: Bazyli Zygan <b@grabhive.com>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Message-ID: <FB36762E8B574F7AAB7D25618841CF01@grabhive.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="51f7ab23_532c34a5_c6"
Subject: [Bitcoin-development] Tor and Bitcoin
Precedence: list

--51f7ab23_532c34a5_c6
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi everyone,

We at Hive had plans to make our wallet proxy through Tor by default. When it became apparent that this was not presently possible because bitcoinj lacks SOCKS support, it opened a minor discussion suggesting that this is perhaps not advisable practice for SPV wallets in the first place. To quote Mike Hearn:

> I think you have to be careful with Tor and Bitcoin. It isn't a no-brainer move. Virtually all people today don't have hacked internet connections. However when you connect outbound from Tor you have to pretty much assume your traffic is being packet logged and sometimes automatically MITMd by exit nodes, which in turn means you can be transparently connected to a sybil network. If you connect to a hidden service the issue is less problematic because you're authenticating the connection and can pick peers you have reason to believe are independent.
> 
> Whilst it's unlikely an attacker would actually try to auto-sybil SPV connections made out of a Tor exit node, if they did, they could make the person connecting out believe in fake pending/unconfirmed transactions. For instance if you're meeting with someone to do a currency trade and you happen to run an exit node that has a lot of bandwidth and an exit policy that allows only Bitcoin, there's a chance the other persons Tor client will pick your exit. You can then swap the cash, give them a fake transaction and when it doesn't confirm, apologise and say you can't wait and have to go. Walk out with the cash and it'll take a while for the victim to realize that the transaction never did actually get broadcast at all, it was just an illusion.
> 
> (this scenario worries me for mobile clients but instead of tor, the issue is an attacker controlled open wifi hotspot).
> 
> I think to support Tor really well [in bitcoinj], we'd need not only to make SOCKS work, but also add a way to use hidden peers and then try and come up with an anti-sybil heuristic. Unfortunately it's unclear what such a heuristic would look like. Bitcoin-Qt uses different /16s as a rule of thumb when on the clearnet, but no such technique is usable on Tor because by definition you aren't supposed to know anything about the hidden peers.

While the scenario outlined seems unlikely, it's best to be prepared... What do you all think? How can this be done properly?

As we said to Mike, if Thailand has actually made Bitcoin illegal, then packet filtering may not be far off for certain regions, and it would nice to be proactive and prepared. At the moment, Thailand already has cruder, URL-based filtering... But vendors like Cisco are no doubt constantly selling them on the virtues of more advanced censorship technologies.

Gregory Maxwell is the person who wrote the hidden service support for bitcoind, right? It might be interesting to get his comments here. 

/b

grabhive.com (http://grabhive.com) | twitter.com/grabhive (http://twitter.com/grabhive) | gpg: A1D5047E


--51f7ab23_532c34a5_c6
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline


                <div>
                    <span style=3D=22font-size: 13px; =22>Hi everyone,</s=
pan><br style=3D=22font-size: 13px; =22><br style=3D=22font-size: 13px; =22=
><span style=3D=22font-size: 13px; =22>We at Hive had plans to make our w=
allet proxy through Tor by default. When it became apparent that this was=
 not presently possible because bitcoinj lacks SOCKS support, it opened a=
 minor discussion suggesting that this is perhaps not advisable practice =
for SPV wallets in the first place. To quote Mike Hearn:</span><br style=3D=
=22font-size: 13px; =22><br style=3D=22font-size: 13px; =22><blockquote t=
ype=3D=22cite=22 style=3D=22font-size: 13px; =22>I think you have to be c=
areful with Tor and Bitcoin. It isn't a no-brainer move. Virtually all pe=
ople today don't have hacked internet connections. However when you conne=
ct outbound from Tor you have to pretty much assume your traffic is being=
 packet logged and sometimes automatically MITMd by exit nodes, which in =
turn means you can be transparently connected to a sybil network. If you =
connect to a hidden service the issue is less problematic because you're =
authenticating the connection and can pick peers you have reason to belie=
ve are independent.<br><br>Whilst it's unlikely an attacker would actuall=
y try to auto-sybil SPV connections made out of a Tor exit node, if they =
did, they could make the person connecting out believe in fake pending/un=
confirmed transactions. =46or instance if you're meeting with someone to =
do a currency trade and you happen to run an exit node that has a lot of =
bandwidth and an exit policy that allows only Bitcoin, there's a chance t=
he other persons Tor client will pick your exit. You can then swap the ca=
sh, give them a fake transaction and when it doesn't confirm, apologise a=
nd say you can't wait and have to go. Walk out with the cash and it'll ta=
ke a while for the victim to realize that the transaction never did actua=
lly get broadcast at all, it was just an illusion.<br><br>(this scenario =
worries me for mobile clients but instead of tor, the issue is an attacke=
r controlled open wifi hotspot).<br><br>I think to support Tor really wel=
l =5Bin bitcoinj=5D, we'd need not only to make SOCKS work, but also add =
a way to use hidden peers and then try and come up with an anti-sybil heu=
ristic. Unfortunately it's unclear what such a heuristic would look like.=
 Bitcoin-Qt uses different /16s as a rule of thumb when on the clearnet, =
but no such technique is usable on Tor because by definition you aren't s=
upposed to know anything about the hidden peers.<br></blockquote><br styl=
e=3D=22font-size: 13px; =22><span style=3D=22font-size: 13px; =22>While t=
he scenario outlined seems unlikely, it's best to be prepared... What do =
you all think=3F How can this be done properly=3F</span><br style=3D=22fo=
nt-size: 13px; =22><br style=3D=22font-size: 13px; =22><span style=3D=22f=
ont-size: 13px; =22>As we said to Mike, if Thailand has actually made Bit=
coin illegal, then packet filtering may not be far off for certain region=
s, and it would nice to be proactive and prepared. At the moment, Thailan=
d already has cruder, URL-based filtering... But vendors like Cisco are n=
o doubt constantly selling them on the virtues of more advanced censorshi=
p technologies.</span><br style=3D=22font-size: 13px; =22><br style=3D=22=
font-size: 13px; =22><span style=3D=22font-size: 13px; =22>Gregory Maxwel=
l is the person who wrote the hidden service support for bitcoind, right=3F=
 It might be interesting to get his comments here.</span>
                </div>
                <div><div><br></div><div>/b</div><div><br></div><div><a h=
ref=3D=22http://grabhive.com=22 style=3D=22color: rgb(0, 106, 227); backg=
round-color: rgb(255, 255, 255); =22>grabhive.com</a><span style=3D=22bac=
kground-color: rgb(255, 255, 255); =22>&nbsp;=7C&nbsp;</span><a href=3D=22=
http://twitter.com/grabhive=22 style=3D=22color: rgb(0, 106, 227); backgr=
ound-color: rgb(255, 255, 255); =22>twitter.com/grabhive</a><span style=3D=
=22background-color: rgb(255, 255, 255); font-size: 10pt; =22>&nbsp;=7C&n=
bsp;</span><span style=3D=22font-size: 13px; =22>gpg: A1D5047E</span></di=
v><div><br></div></div>
            
--51f7ab23_532c34a5_c6--