📅 Original date posted:2016-06-30
📝 Original message:On Thu, Jun 30, 2016 at 11:57 AM, Eric Voskuil via bitcoin-dev
<bitcoin-dev at lists.linuxfoundation.org> wrote:
> The proliferation of node identity is my primary concern - this relates to privacy and the security of the network.
I think this is a reasonable concern.
However, node identity is already being used widely, and in a very
inadvisable way:
* Since forever there have been lists of 'good nodes' to pass in
addnode= configuration options.
* Various people run multiple nodes in different geographic locations,
peering with each other.
* Various pieces of infrastructure exist that relies on connecting to
well-behaving nodes (miner relay networks, large players peering
directly with each other, ...)
* Several lightweight clients support configuring a trusted host to connect to.
Perhaps you deplore that fact, but I believe it is inevitable that
different pieces of the network will make different choices here. You
can'tg prevent people from create connections along preexisting trust
lines. That does not mean that the network as a whole relies on first
establishing trust everywhere.
And I do think there are advantages.
BIP 151 on its own gives you opportunistic encryption. You're very
right to point out that this does not give you protection from active
attackers, and that active attacking is relatively easy through sybil
attacks. I still prefer my attacker to actually do that over just
listening in on my connection. And yes, we should also work on
improving the privacy nodes and wallets have orthogonal to encryption,
but nothing will make everything perfectly private.
BIP 151 plus a simple optional pre-shared-secret authentication
extension can improve upon pure IP-based authentication, as well as
simplify things like SSL tunnels, and onion addresses purely used as
identity. This will still require explicit configuration, but not more
than now.
BIP 151 plus a non-leaking public key authentication scheme (where
peers can query "are you the peer with pubkey X?" but don't learn
anything if the answer is no) with keys specific to the IP addresses
can give a TOFU-like security. Nodes already remember IP addresses
they've succesfully interacted with in the past, and ban IP addresses
that misbehave. Being able to tell whether a node you connect to is
the same as one you've connected to before is a natural extension of
this, and does not require establishing any real-world identity beyond
what we're already implicitly relying on.
Perhaps these use cases and their security assumptions should be
spelled out more clearly in the BIP. If there is a misunderstanding,
it should be clearly stated that BIP 151 is only a building block for
further improvements
> Secondarily I am concerned about users operating under a false assumption about the strength of privacy.
This is a widespread problem, but it exists far outside the scope of
this proposal. The privacy properties of Bitcoin are often
misrepresented and even used as advertizements. The solution is
education, not avoiding improvements because they may be
misunderstood.
> The complexity of the proposed construction is comparable to that of Bitcoin itself.
I really think this is an exaggeration. It's a diffie-hellman
handshake and a stream cipher (both very common constructions), that
apply to individual connections. There are no consensus risks nor a
requirement for coordinated change through the network. The
cryptographic code can be directly reused from a well-known project
(OpenSSH), and is very small in size.
--
Pieter
Pieter Wuille [ARCHIVE] /
npub1tj…jtl6r
2023-06-07 17:51:47
in reply to nevent1q…4r38
Author Public Key
npub1tjephawh7fdf6358jufuh5eyxwauzrjqa7qn50pglee4tayc2ntqcjtl6rPublished at
2023-06-07 17:51:47Event JSON
{
"id": "9f5df66f62477382e37062054871d57bf28a48c3187892e48ee0a33233af209b",
"pubkey": "5cb21bf5d7f25a9d46879713cbd32433bbc10e40ef813a3c28fe7355f49854d6",
"created_at": 1686160307,
"kind": 1,
"tags": [
[
"e",
"d0e8bb25d553b30c0cc0d96d85855c267cf10b5981dd5042024df41c59046cbd",
"",
"root"
],
[
"e",
"88f2eba62972477a8dcf07384d555c8806126e37003c5f883b89435553b280ee",
"",
"reply"
],
[
"p",
"82205f272f995d9be742779a3c19a2ae08522ca14824c3a3b01525fb5459161e"
]
],
"content": "📅 Original date posted:2016-06-30\n📝 Original message:On Thu, Jun 30, 2016 at 11:57 AM, Eric Voskuil via bitcoin-dev\n\u003cbitcoin-dev at lists.linuxfoundation.org\u003e wrote:\n\u003e The proliferation of node identity is my primary concern - this relates to privacy and the security of the network.\n\nI think this is a reasonable concern.\n\nHowever, node identity is already being used widely, and in a very\ninadvisable way:\n* Since forever there have been lists of 'good nodes' to pass in\naddnode= configuration options.\n* Various people run multiple nodes in different geographic locations,\npeering with each other.\n* Various pieces of infrastructure exist that relies on connecting to\nwell-behaving nodes (miner relay networks, large players peering\ndirectly with each other, ...)\n* Several lightweight clients support configuring a trusted host to connect to.\n\nPerhaps you deplore that fact, but I believe it is inevitable that\ndifferent pieces of the network will make different choices here. You\ncan'tg prevent people from create connections along preexisting trust\nlines. That does not mean that the network as a whole relies on first\nestablishing trust everywhere.\n\nAnd I do think there are advantages.\n\nBIP 151 on its own gives you opportunistic encryption. You're very\nright to point out that this does not give you protection from active\nattackers, and that active attacking is relatively easy through sybil\nattacks. I still prefer my attacker to actually do that over just\nlistening in on my connection. And yes, we should also work on\nimproving the privacy nodes and wallets have orthogonal to encryption,\nbut nothing will make everything perfectly private.\n\nBIP 151 plus a simple optional pre-shared-secret authentication\nextension can improve upon pure IP-based authentication, as well as\nsimplify things like SSL tunnels, and onion addresses purely used as\nidentity. This will still require explicit configuration, but not more\nthan now.\n\nBIP 151 plus a non-leaking public key authentication scheme (where\npeers can query \"are you the peer with pubkey X?\" but don't learn\nanything if the answer is no) with keys specific to the IP addresses\ncan give a TOFU-like security. Nodes already remember IP addresses\nthey've succesfully interacted with in the past, and ban IP addresses\nthat misbehave. Being able to tell whether a node you connect to is\nthe same as one you've connected to before is a natural extension of\nthis, and does not require establishing any real-world identity beyond\nwhat we're already implicitly relying on.\n\nPerhaps these use cases and their security assumptions should be\nspelled out more clearly in the BIP. If there is a misunderstanding,\nit should be clearly stated that BIP 151 is only a building block for\nfurther improvements\n\n\u003e Secondarily I am concerned about users operating under a false assumption about the strength of privacy.\n\nThis is a widespread problem, but it exists far outside the scope of\nthis proposal. The privacy properties of Bitcoin are often\nmisrepresented and even used as advertizements. The solution is\neducation, not avoiding improvements because they may be\nmisunderstood.\n\n\u003e The complexity of the proposed construction is comparable to that of Bitcoin itself.\n\nI really think this is an exaggeration. It's a diffie-hellman\nhandshake and a stream cipher (both very common constructions), that\napply to individual connections. There are no consensus risks nor a\nrequirement for coordinated change through the network. The\ncryptographic code can be directly reused from a well-known project\n(OpenSSH), and is very small in size.\n\n-- \nPieter",
"sig": "f558e679c244a2dee4148f7bc4910ccab330d18c0ce6cf1930207591edef2fbb0e5302bb30bc1853a3f1a8fe331accb1276123e302be02c359ea4f5f1211de7e"
}