
Bitcoin over Tor isn't a good idea - Anon84
http://arxiv.org/abs/1410.6079
======
chatmasta
I researched TorCoin. I feel like I know a fair amount about Tor and BitCoin.

What worries me most about Tor is that people do not realize how trivially an
exit relay can MITM your traffic. The value proposition of Tor is NOT keeping
all your traffic safe. It's _anonymizing_ your traffic from end to end, so
that nobody who sees your data knows both where it came from and where it's
going. They can still see the data itself.

For all intents and purposes, traffic from Exit -> Internet is plaintext. The
relay operator can MITM it. Tor is only safer than a VPN or proxy because the
exit relay does not know your _identity_. It can still access the data you
transfer through it. [4]

Anyone can start a Tor exit relay, and setting up a MITM proxy on it is
trivial. Siphoning bitcoin transactions is equally trivial. Just listen for
the proper traffic patterns.

You should not be transferring any business-critical data over Tor. It's a
great tool for protecting your identity, but not your data.

With HTTPS, you're relatively safer, since you'll get an alert if a relay is
MITM'ing you and modifying the certificate. But with plain HTTP, you won't
even know when you're getting MITM'd.

More Resources:

[1] [http://security.stackexchange.com/questions/34804/how-
safe-i...](http://security.stackexchange.com/questions/34804/how-safe-is-tor-
from-mitm-snooping-attacks)

[2]
[https://blog.torproject.org/category/tags/mitm](https://blog.torproject.org/category/tags/mitm)
(includes links to research papers)

[3]
[https://www.petsymposium.org/2014/papers/Winter.pdf](https://www.petsymposium.org/2014/papers/Winter.pdf)

[4] Emphasis on "for all intents and purposes." Not a true statement
universally.

~~~
firepacket
Siphoning bitcoin transactions is not trivial.

Transactions need to be signed by the holder of the private key to the inputs.
A MITM attacker still does not have access to any keys.

If it was that easy, bitcoin would be worthless.

~~~
chatmasta
You're right. Let me clarify:

I'm not worried about the transactions themselves, as they appear on the
blockchain. What worries me is the "meta transactions", if you will. The
Bitcoin ecosystem is full of off-blockchain transactions. For example, mining
pools use their own communication mechanisms, which the BGP attack this summer
exploited. Also, dozens of exchanges, marketplaces, and services rely on HTTP
API's for transacting. Even if the blockchain is not vulnerable, the external
transactions that reference it certainly could be.

Imagine how many "send X bitcoin from wallet Y to wallet Z" requests route
over HTTP. Quite a few.

So yeah, not "trivial" as I said. But certainly not impossible.

(Welcome to HN! I'm glad my mistake brought you out of the woodwork.)

~~~
firepacket
Thanks. Yes, I somewhat agree with your clarification.

And to further your point, it appears this guy
([https://www.reddit.com/r/Bitcoin/comments/2k38ta/my_wallet_w...](https://www.reddit.com/r/Bitcoin/comments/2k38ta/my_wallet_was_just_emptied_stolen_but_i_dont_know/))
just got his coins stolen by using blockchain.info over TOR.

However, I still believe nothing is fundamentally broken. Any important
protocol should be using SSL - especially when operating over TOR. Lapses like
this are still simply user error.

------
resolutionx
" Many of these details do not appear in any speciﬁcations and were obtained
by a careful analysis of the corresponding source code. This is especially
true for Bitcoin for which there exists no ofﬁcial documentation except for
the original white paper [14] and Bitcoin Wiki[3]."

Well that seems a bit odd.

~~~
patio11
You have no idea how deep that rabbit hole goes. Bitcoin Core is referred to
as a "reference implementation", which means "you should implement all bugs
referenced by Bitcoin Core in transaction verification, or you have your
choice of being kicked off the Bitcoin consensus immediately, which is bad, or
at any point of an attacker's choosing, which is catastrophic."

~~~
3pt14159
That's the way a blockchain works though. If there is a bug in the client that
99% of people use then of course you'll have forking blockchains. And all of
this matters less anyway, because clients can fallback to blockchain.info if
there is a fork detected, and just warn the user that the client may have a
bug.

~~~
kanzure
> because clients can fallback to blockchain.info if there is a fork detected

Unfortunately bc.i's implementation/instance is not immune to bugs, forking,
lying or collusion. I don't know why you would expect it to be.

~~~
3pt14159
The point is that it is a trusted enough party. If the client gets a
suspicious block it can check against that party as a way of seeing if the
client itself may have a bug.

------
s_q_b
Tor and Bitcoin hide fundamentally _different things_ in their pseudonymity
specs. It's like people think Tor is magic anonymity peanut butter they can
spread on whichever project they wish.

~~~
exo762
In fact Bitcoin design does not contain elements hinting that anonymity was
ever a goal. People using Bitcoin over Tor might just want to circumvent
censorship aka Tor as glorified proxy.

~~~
s_q_b
Right, but it doesn't work. That's the whole point of the article. Tor+random
app usually equals massive vulnerability.

I should add I learned that the hard way trying to integrate Tor with
OpenBazaar.

What might be fun is stenography over the Tor protocol. Anybody interested?

~~~
selimthegrim
There is a project that uses stenography to hide the Tor protocol from
inspection. I need to tie up a few loose ends to some of my branches for it (I
am not the originator, just a contributor) but have gotten caught up in
schoolwork these last few months. Any assistance is appreciated!

[0]
[https://github.com/TheTorProject/stegotorus](https://github.com/TheTorProject/stegotorus)
[1] [https://github.com/SRI-CSL/stegotorus](https://github.com/SRI-
CSL/stegotorus)

~~~
s_q_b
Cool, I'll check it out. I was thinking more along the lines of hiding
messages in the Tor protocol itself, rather than hiding Tor traffic (which is
desperately needed.)

------
nhaehnle
This is interesting in that it highlights a number of problems that _every_
peer-to-peer network that wishes to use something like Tor for privacy needs
to take into account.

I also wasn't aware that Tor hidden services can be "blackholed" so easily (it
sounds like this is probably well known to regular Tor users, though).

------
handsomeransoms
This reminds me of the recent (~2 months ago) addition of a new, very fast Tor
relay (faster than any other relay at the time) that only relayed Bitcoin
traffice [0].

Wonder if that has anything to do with this research, or if someone else has
independently arrived at the same result?

[0]
[http://www.reddit.com/r/Bitcoin/comments/2bwds2/what_does_th...](http://www.reddit.com/r/Bitcoin/comments/2bwds2/what_does_the_worlds_fastest_tor_node_have_to_do/)

------
runeks
> [...] control which Bitcoin blocks and transactions are relayed to the user
> and can delay or discard user’s transactions and blocks.

Bear in mind that we can detect when a node does this, by monitoring it, and
measuring whether blocks or transactions are withheld, kind of like in this
paper:
[http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf](http://www.cs.kau.se/philwint/spoiled_onions/techreport.pdf)

------
higherpurpose
Is Matthew Green & team's ZeroCash still getting an implementation?

------
Tangokat
So what are the choices for people in oppressed countries? Use an altcoin or
just hope that nobody implements this attack?

------
andrelayer
This is why something like Darkcoin should exist. It fixes one of Bitcoin's
biggest issues, anonymity.

------
fsiefken
For a better way of pseudonymity check darkcoin and it's masternode network.

