1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
Return-Path: <patrick.strateman@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 16C1087A
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Aug 2015 00:00:12 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com
[209.85.220.42])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C79AA21D
for <bitcoin-dev@lists.linuxfoundation.org>;
Wed, 19 Aug 2015 00:00:10 +0000 (UTC)
Received: by pawq9 with SMTP id q9so46205280paw.3
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 18 Aug 2015 17:00:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=message-id:disposition-notification-to:date:from:user-agent
:mime-version:to:subject:references:in-reply-to:content-type;
bh=C/to5Vypk0u0ZPIH4nUdt1jglMULP27O9tdFH4bJCb4=;
b=Fe5TkyrZWzECy0utfTUyvF4rdcg6PKuSiMnAV0OQmesZGdAfnj+EOhJCNyC+DGwpWx
3yv+/HrPV4vHSagvrJYL5pqu0UfcdnPHmpM9RimUAv3dBv2FUyeSqPCN1igfIhMUqwN/
A1lvK8d9Jqdwr20Yg7BzvS0jiaHRoAyYsIJfCvxbrPvfB6E+yJLgxrBwoioXzBJ1MZOU
zP2hx4xfxf2YHWA0I4oAcpIHNK366LfWj3cGc6SlTlHKQJC2fqQ5F2jTnEvqcLA0lLMy
EUxfl9KlMB5XtnuqhuCPShLh/5pvAbWZO90Sl0kjb67EwLBgfdLoxilwJ7b6l+0Ue79g
Q3tA==
X-Received: by 10.68.234.167 with SMTP id uf7mr18547438pbc.51.1439942410397;
Tue, 18 Aug 2015 17:00:10 -0700 (PDT)
Received: from [10.41.5.126] (184-23-239-226.dedicated.static.sonic.net.
[184.23.239.226]) by smtp.googlemail.com with ESMTPSA id
ye2sm15505988pbb.88.2015.08.18.17.00.09
for <bitcoin-dev@lists.linuxfoundation.org>
(version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 18 Aug 2015 17:00:09 -0700 (PDT)
Message-ID: <55D3C709.8010000@gmail.com>
Date: Tue, 18 Aug 2015 17:00:09 -0700
From: Patrick Strateman <patrick.strateman@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
rv:31.0) Gecko/20100101 Icedove/31.8.0
MIME-Version: 1.0
To: bitcoin-dev@lists.linuxfoundation.org
References: <20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com>
In-Reply-To: <20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com>
Content-Type: multipart/alternative;
boundary="------------010609020404070001020405"
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: Re: [bitcoin-dev] Bitcoin XTs Tor IP blacklist downloading system
has significant privacy leaks.
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2015 00:00:12 -0000
This is a multi-part message in MIME format.
--------------010609020404070001020405
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
First of all I would like to say... LOL
Second Andrew LeCody is correct, this is off topic.
On 08/18/2015 04:31 PM, F L via bitcoin-dev wrote:
> Bitcoin XT contains an unmentioned addition which periodically
> downloads lists of Tor IP addresses for blacklisting, this has
> considerable privacy implications for hapless users which are being
> prompted to use the software. The feature is not clearly described,
> is enabled by default, and has a switch name which intentionally
> downplays what it is doing (disableipprio). Furthermore these claimed
> anti-DoS measures are trivially bypassed and so offer absolutely no
> protection whatsoever.
>
> Connections are made over clearnet even when using a proxy or
> onlynet=tor, which leaks connections on the P2P network with the real
> location of the node. Knowledge of this traffic along with uptime
> metrics from bitnodes.io can allow observers to easily correlate the
> location and identity of persons running Bitcoin nodes. Denial of
> service can also be used to crash and force a restart of an
> interesting node, which will cause them to make a new request to the
> blacklist endpoint via the clearnet on relaunch at the same time their
> P2P connections are made through a proxy. Requests to the
> blacklisting URL also use a custom Bitcoin XT user agent which makes
> users distinct from other internet traffic if you have access to the
> endpoints logs.
>
>
> https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--------------010609020404070001020405
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
First of all I would like to say... LOL<br>
<br>
Second Andrew LeCody is correct, this is off topic.<br>
<br>
<div class="moz-cite-prefix">On 08/18/2015 04:31 PM, F L via
bitcoin-dev wrote:<br>
</div>
<blockquote
cite="mid:20150818233130.7A22815F000@c-in3ws--03-03.sv2.lotuslive.com"
type="cite"><span style="font-family: Arial,Helvetica,sans-serif;">
<div dir="ltr"> Bitcoin XT contains an unmentioned addition
which periodically downloads lists of Tor IP addresses for
blacklisting, this has considerable privacy implications for
hapless users which are being prompted to use the software.
The feature is not clearly described, is enabled by default,
and has a switch name which intentionally downplays what it is
doing (disableipprio). Furthermore these claimed anti-DoS
measures are trivially bypassed and so offer absolutely no
protection whatsoever.<br>
<br>
Connections are made over clearnet even when using a proxy or
onlynet=tor, which leaks connections on the P2P network with
the real location of the node. Knowledge of this traffic
along with uptime metrics from bitnodes.io can allow observers
to easily correlate the location and identity of persons
running Bitcoin nodes. Denial of service can also be used to
crash and force a restart of an interesting node, which will
cause them to make a new request to the blacklist endpoint via
the clearnet on relaunch at the same time their P2P
connections are made through a proxy. Requests to the
blacklisting URL also use a custom Bitcoin XT user agent which
makes users distinct from other internet traffic if you have
access to the endpoints logs. </div>
<div dir="ltr"> <br>
</div>
<div dir="ltr"> <a moz-do-not-send="true"
href="https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23">https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23</a></div>
</span><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
bitcoin-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-dev@lists.linuxfoundation.org</a>
<a class="moz-txt-link-freetext" href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>
--------------010609020404070001020405--
|
