Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id B18E47AA for ; Wed, 19 Aug 2015 01:08:03 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ig0-f176.google.com (mail-ig0-f176.google.com [209.85.213.176]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 4566811E for ; Wed, 19 Aug 2015 01:08:01 +0000 (UTC) Received: by igui7 with SMTP id i7so96744787igu.1 for ; Tue, 18 Aug 2015 18:08:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=O+hfscyTaFAPpLSILCfBaVDra9cYt9izAccXnDCVE3A=; b=CScdHJtE2OJebIHuhxmZSr51Z/UQWVN3LwHWdxZbbJEkYCpVeWw6FF3fmd3+eaYIV3 pcw5krM9dqhRJf6Ex4XTGjf4RrmIZocLcdpCOQHk1TkB+Pur52j3vxj+Dq/n2GaIcE9x 73ewtazlV3nEQzxPMr2tTwfiHq1RKp2QAgyLT4pZ7Vtaph2skRTClR1JDPNkVIKWOyKH ItldRM/JgZTXxIePFOhSJWZNau8X0i/2atJAB68DJJzu5woFd5fpfYFp1e8z5JvuUH6k uQNOSxevAs9r24FRFCreNTJ2Z1WGPWwYYONJZdlFkAZ8uArQZOzyvJxTRNT9t5DpSV15 ABFw== MIME-Version: 1.0 X-Received: by 10.50.79.196 with SMTP id l4mr24142207igx.48.1439946481159; Tue, 18 Aug 2015 18:08:01 -0700 (PDT) Received: by 10.36.208.206 with HTTP; Tue, 18 Aug 2015 18:08:01 -0700 (PDT) Date: Tue, 18 Aug 2015 21:08:01 -0400 Message-ID: From: Christophe Biocca To: bitcoin-dev@lists.linuxfoundation.org Content-Type: text/plain; charset=UTF-8 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [bitcoin-dev] Bitcoin XTs Tor IP blacklist downloading system has significant privacy leaks. X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Development Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 01:08:03 -0000 So I checked, and the code described *does not* run when behind a proxy of any kind, including tor: https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23#diff-11780fa178b655146cb414161c635219R265 At least based on my admittedly weak understanding of how the internal works. Hopefully I save the next reader of your post from also having to dig around to find the code and realize this is a false alert. On Tue, Aug 18, 2015 at 6:36 PM F L via bitcoin-dev < bitcoin-dev at lists.linuxfoundation.org> wrote: > Bitcoin XT contains an unmentioned addition which periodically downloads > lists of Tor IP addresses for blacklisting, this has considerable privacy > implications for hapless users which are being prompted to use the > software. The feature is not clearly described, is enabled by default, and > has a switch name which intentionally downplays what it is doing > (disableipprio). Furthermore these claimed anti-DoS measures are trivially > bypassed and so offer absolutely no protection whatsoever. > > Connections are made over clearnet even when using a proxy or onlynet=tor, > which leaks connections on the P2P network with the real location of the > node. Knowledge of this traffic along with uptime metrics from > bitnodes.io can allow observers to easily correlate the location and > identity of persons running Bitcoin nodes. Denial of service can also be > used to crash and force a restart of an interesting node, which will cause > them to make a new request to the blacklist endpoint via the clearnet on > relaunch at the same time their P2P connections are made through a proxy. > Requests to the blacklisting URL also use a custom Bitcoin XT user agent > which makes users distinct from other internet traffic if you have access > to the endpoints logs. > > > > https://github.com/bitcoinxt/bitcoinxt/commit/73c9efe74c5cc8faea9c2b2c785a2f5b68aa4c23 > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev at lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >