Ãyvind Saether: > http://arxiv.org/pdf/1410.6079v1.pdf > > "Abstract > âBitcoin is a decentralized P2P digital currency in which coins are > generated by a distributed set of miners and transaction are > broadcasted via a peer-to-peer network. While Bitcoin provides some > level of anonymity (or rather pseudonymity) by encouraging the users to > have any number of random-looking Bitcoin addresses, recent research > shows that this level of anonymity is rather low. This encourages users > to connect to the Bitcoin network through anonymizers like Tor and > motivates development of default Tor functionality for popular mobile > SPV clients. In this paper we show that combining Tor and Bitcoin > creates an attack vector for the deterministic and stealthy > man-in-the-middle attacks. A low-resource attacker can gain full > control of information flows between all users who chose to use Bitcoin > over Tor. In particular the attacker can link together userâs > transactions regardless of pseudonyms used, control which Bitcoin > blocks and transactions are relayed to the user and can delay or > discard userâs transactions and blocks. In collusion with a powerful > miner double-spending attacks become possible and a totally virtual > Bitcoin reality can be created for such set of users." > > Interesting quote: > > "Combining it with some peculiarities of how Tor handles data streams a > stealthy and low-resource attacker with just 1-3% of overall Tor Exit > bandwidth capacity and 1000-1500 cheap lightweight Bitcoin peers (for > example, a small Botnet) can force all Bitcoin Tor traffic to go either > through her Exit nodes or through her peers. This opens numerous attack > vectors." > > a) Does this paper hold water? b) What is the price of 1-3% of all Tor > Exit capacity and "1000-1500 cheap lightweight" Bitcoin peers? I skimmed this paper this morning, and the crux of the attack is the interplay of the Bitcoin DoS protection mechanisms and the limited supply of Tor Exit IPs. Basically, you cause most Bitcoin peers to end up deciding to ban all Tor Exit IPs except your exits, and then you are able to observe all Tor+Bitcoin users, and maybe even feed them divergent versions of the blockchain (assuming you can muster enough proof of work to hit the difficulty), or easier still: hide certain unconfirmed transactions. The amount of capacity you have basically governs how quickly you can expect clients to converge on your exit (after failing with all the other exits). The paper also points out that some Bitcoin clients were hoping to use Tor to obtain multiple network perspectives on unconfirmed transactions, to provide additional confidence that you can accept an unconfirmed transaction before it hits the blockchain. Obviously, if you are able to control exits used for this, you can fool such clients into accepting double-spends. Personally, I think Bitcoin clients are still much better off double-checking transactions via Tor than trusting only the local wifi network, especially for accepting quick, unconfirmed transactions. But it is useful to know that a naive "dude, just shove it through Tor, man!" solution to this problem is not the best one. The countermeasures section at the end is pretty good, though. In addition to either tweaking or disabling the IP-based rate limiting for Tor nodes, they also recommend encrypting bitcoin peer protocol traffic (hard, but should probably be done for lots of reasons), or making use of Bitcoin peers who also have Tor hidden service addresses available (easy, and the paper provides a list of these that were found to exist already in the wild). One can also imagine that such bitcoin clients could also use a Tor control port library to enforce that they actually are able to use a certain number of independent exit families without failure, too. This was not suggested, but it is possible. It struck me as a notable work with respect to Tor because it is yet another (surprising) area where having some kind of anonymous credential system for proof of sacrifice/scarcity could benefit not only Tor users, but also the rest of the Internet as well. It is also interesting because right now, the naive proposal people often make for such systems is "dude, just use Bitcoin, man!", but clearly we now have a catch-22 here (in addition to the privacy issues with Bitcoin). -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk