Message-ID: <55D3C709.8010000@gmail.com>
Date: Tue, 18 Aug 2015 17:00:09 -0700
From: Patrick Strateman <patrick.strateman@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
	rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: bitcoin-dev@lists.linuxfoundation.org
References: <20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com>
In-Reply-To: <20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com>
Content-Type: multipart/alternative;
	boundary="------------010609020404070001020405"
Subject: Re: [bitcoin-dev] Bitcoin XTs Tor IP blacklist downloading system
 has significant privacy leaks.
Precedence: list

This is a multi-part message in MIME format.
--------------010609020404070001020405
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

First of all I would like to say... LOL

Second Andrew LeCody is correct, this is off topic.

On 08/18/2015 04:31 PM, F L via bitcoin-dev wrote:
> Bitcoin XT contains an unmentioned addition which periodically
> downloads lists of Tor IP addresses for blacklisting, this has
> considerable privacy implications for hapless users which are being
> prompted to use the software.  The feature is not clearly described,
> is enabled by default, and has a switch name which intentionally
> downplays what it is doing (disableipprio).  Furthermore these claimed
> anti-DoS measures are trivially bypassed and so offer absolutely no
> protection whatsoever.
>
> Connections are made over clearnet even when using a proxy or
> onlynet=tor, which leaks connections on the P2P network with the real
> location of the node.  Knowledge of this traffic along with uptime
> metrics from bitnodes.io can allow observers to easily correlate the
> location and identity of persons running Bitcoin nodes.  Denial of
> service can also be used to crash and force a restart of an
> interesting node, which will cause them to make a new request to the
> blacklist endpoint via the clearnet on relaunch at the same time their
> P2P connections are made through a proxy.  Requests to the
> blacklisting URL also use a custom Bitcoin XT user agent which makes
> users distinct from other internet traffic if you have access to the
> endpoints logs. 
>
>  
> https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev


--------------010609020404070001020405
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    First of all I would like to say... LOL<br>
    <br>
    Second Andrew LeCody is correct, this is off topic.<br>
    <br>
    <div class="moz-cite-prefix">On 08/18/2015 04:31 PM, F L via
      bitcoin-dev wrote:<br>
    </div>
    <blockquote
      cite="mid:20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com"
      type="cite"><span style="font-family: Arial,Helvetica,sans-serif;">
        <div dir="ltr"> Bitcoin XT contains an unmentioned addition
          which periodically downloads lists of Tor IP addresses for
          blacklisting, this has considerable privacy implications for
          hapless users which are being prompted to use the software. 
          The feature is not clearly described, is enabled by default,
          and has a switch name which intentionally downplays what it is
          doing (disableipprio).  Furthermore these claimed anti-DoS
          measures are trivially bypassed and so offer absolutely no
          protection whatsoever.<br>
          <br>
          Connections are made over clearnet even when using a proxy or
          onlynet=tor, which leaks connections on the P2P network with
          the real location of the node.  Knowledge of this traffic
          along with uptime metrics from bitnodes.io can allow observers
          to easily correlate the location and identity of persons
          running Bitcoin nodes.  Denial of service can also be used to
          crash and force a restart of an interesting node, which will
          cause them to make a new request to the blacklist endpoint via
          the clearnet on relaunch at the same time their P2P
          connections are made through a proxy.  Requests to the
          blacklisting URL also use a custom Bitcoin XT user agent which
          makes users distinct from other internet traffic if you have
          access to the endpoints logs. </div>
        <div dir="ltr"> <br>
           </div>
        <div dir="ltr"> <a moz-do-not-send="true"
href="https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23">https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23</a></div>
      </span><br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------010609020404070001020405--