[tor-talk] Bitcoin over Tor isn’t a good idea (Alex Biryukov / Ivan Pustogarov story)
Seth David Schoen
schoen at eff.org
Mon Oct 27 23:19:08 UTC 2014
s7r writes:
> All use Bitcoin default port 8333. These servers are up all the time
> and very fast.
>
> Hidden services are end-to-end encrypted so the risk of MITM between
> nodes does not exist. Also, if you run bitcoin in such a way with
> onlynet=tor enabled in config, nobody listening your wire can have a
> slight clue that you use bitcoin.
I don't mean to disparage the contribution of people who are running
Bitcoin hidden service nodes. I think that's a very useful
contribution.
I do want to question three things about the benefits of doing so.
First, the security of hidden services among other things relies on the
difficulty of an 80-bit partial hash collision; even without any new
mathematical insight, that isn't regarded by NIST as an adequate hash
length for use past 2010. (There has been some mathematical insight about
attacking SHA-1, which Tor hidden service names use, although I don't
remember whether any of it is known to be useful for generating partial
preimages.) Tor hidden service encryption doesn't consistently use crypto
primitives that are as strong as current recommendations, though I think
they matched recommendations when the Tor hidden service protocol was
first invented. That means that the transport encryption between a hidden
service user and the hidden service operator is not as trustworthy in
some ways as a modern TLS implementation would be.
Second, a passive attacker might be able to distinguish Bitcoin from other
protocols running over Tor by pure traffic analysis methods. If a new
user were downloading the entire blockchain from scratch, there would
be a very characteristic and predictable amount of data that that user
downloads over Tor (namely, the current size of the entire blockchain --
23394 megabytes as of today).
Not many files are exactly that size, so it's a fairly strong guess that
that's what the user was downloading. Even submitting new transactions
over hidden services might not be very similar to, say, web browsing,
which is a more typical use of Tor. The amount of data sent when
submitting transactions is comparatively tiny, while blockchain updates
are comparatively large but aren't necessarily synchronized to occur
immediately after transaction submissions. So maybe there's a distinctive
statistical signature observable from the way that the Bitcoin client
submits transactions over Tor. It would at least be worth studying
whether this is so (especially because, if it is, someone who observes
a particular Tor user apparently submitting a transaction could try to
correlate that transaction with new transactions that the hidden services
first appeared to become aware of right around the same time).
Third, to take a simpler version of the attacks proposed in the new
paper, someone who _only_ uses Bitcoin peers that are all run by
TheCthulhu is vulnerable to double-spending attacks, and even more
devious attacks, by TheCthulhu. (You might say that TheCthulhu is
very trustworthy and would never attack users, but that does at least
undermine the decentralization typically claimed for Bitcoin because
you have to trust a particular hidden service operator, or relatively
small community of hidden service operators, not to attack you by
manipulating your view of the blockchain and transaction history.)
Using Bitcoin over Tor hidden services might be a good choice for most
users today who want their transactions and private key ownership to
be as private as possible, but it's not free of risk, and it's probably
not an appropriate long-term solution to recommend to the general public
without fixes to some of the technologies involved!
--
Seth Schoen <schoen at eff.org>
Senior Staff Technologist https://www.eff.org/
Electronic Frontier Foundation https://www.eff.org/join
815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107
More information about the tor-talk
mailing list