📅 Original date posted:2015-01-21
📝 Original message:Hi there,
some thoughts in-line:
> >
> > Finally, distributors of consumer wallets can use this research in
> > order to distribute their wallet with policies which may be less prone
> > to Tor-specific attacks. Or leave this out altogether if their
> > audience has different expectations for connecting to Bitcoin.
> >
>
> Sure. I guess there will be wallets for all kinds of people in future,
> sharing a common core that they can customise (this is certainly the vision
> and general direction for bitcoinj, and it's working out OK).
>
> To clarify, my comments above were for mainstream granny-focused wallets.
> Wallets designed for crypto geeks can and should expose all the knobs to
> let people run wild.
>
I hear that. But I don't see why mainstream wallets and wallets
designed for crypto research should not share a common core. Nor do I
understand why having a common core for different types of wallets
should be reserved for BitcoinJ.
When Bitcoin was pretty new, having a less customizable core did
probably have more of a merit in order to achieve network stability
through monoculture. But as of today, Bitcoin has proven itself as
being capable of allowing a variety of client application to run on
the network, so why should the reference implementation not reflect
this kind of diversity? The policy the mainstream distribution imposes
upon the core can still be rather restrictive.
> One possible direction to go is to use Tor for writing to the network and
> use general link encryption and better Bloom filtering for reading it. Thus
> new transactions would pop out of Tor exits, but there isn't much they can
> do that's malicious there except mutate them or block them entirely. If you
> insert the same transaction into the P2P network via say 10 randomly chosen
> exits, the worst a malicious mutator can do is race the real transaction
> and that's no different to a malicious P2P node. Even in a world where an
> attacker has DoS-banned a lot of nodes and now controls your TX submission
> path entirely, it's hard to see how it helps them.
>
It might deserve some research in order to determine how Tor's
privacy guarantees might be impacted if we allow attackers to mess
around with exit node choices in a rather predictable and low-cost
manner. Unfortunately, I can't think of another (non-Bitcoin)
application which puts Tor to a similar test.
> The nice thing about the above approach is that it solves the latency
> problems. Startup speed is really an issue for reading from the network:
> just syncing the block chain is already enough of a speed hit without
> adding consensus sync as well. But if you're syncing the block chain via
> the clearnet you can connect to Tor in parallel so that by the time the
> user has scanned a QR code, verified the details on the screen and then
> pressed the Pay button, you have a warm connection and can upload the TX
> through that. It reduces the level of startup time optimisation needed,
> although Tor consensus download is still too slow even to race a QR code
> scan at the moment. I think tuning the consensus caching process and
> switching to a fresh one on the fly might be the way to go.
>
I do agree that hybrid clearnet/Tor approaches come with interesting
performance properties.
> When BIP70 is in use, you wouldn't write the tx to the network yourself but
> you could download the PaymentRequest and upload the Payment message via an
> SSLd Tor connection to the merchant. Then malicious exits can only DoS you
> but not do anything else so there's no need for multiple exit paths
> simultaneously.
>
BIP70 is interesting, indeed, although I still fail to understand why
(according to the specs I saw) the PaymentRequest message is signed,
but not the Payment message.
But in context of the discussed protocol issues, I think it just moves
the issue from the payer to the payee, so it may or may not partially
relieve network-related issues, depending on the usage scenario.
Best regards,
Isidor
Isidor Zeuner [ARCHIVE] /
npub1wz…2jvxz
2023-06-07 15:29:00
in reply to nevent1q…ngz2
Author Public Key
npub1wz2sm8h4ylh9dn28688vjzwrmhaxnh3jl04p8jk3qeq7umwf8cus72jvxzPublished at
2023-06-07 15:29:00Event JSON
{
"id": "2cb5398dc2b5fae947b524c3ac3d34908fcee111a0dc40ddf8a8a3ae3213395f",
"pubkey": "70950d9ef527ee56cd47d1cec909c3ddfa69de32fbea13cad10641ee6dc93e39",
"created_at": 1686151740,
"kind": 1,
"tags": [
[
"e",
"80b5cad93099d6916ca20bb03996cac22a1607143b6ac9e47fc3cd8294f48a9a",
"",
"reply"
],
[
"p",
"a23dbf6c6cc83e14cc3df4e56cc71845f611908084cfe620e83e40c06ccdd3d0"
]
],
"content": "📅 Original date posted:2015-01-21\n📝 Original message:Hi there,\n\nsome thoughts in-line:\n\u003e \u003e\n\u003e \u003e Finally, distributors of consumer wallets can use this research in\n\u003e \u003e order to distribute their wallet with policies which may be less prone\n\u003e \u003e to Tor-specific attacks. Or leave this out altogether if their\n\u003e \u003e audience has different expectations for connecting to Bitcoin.\n\u003e \u003e\n\u003e\n\u003e Sure. I guess there will be wallets for all kinds of people in future,\n\u003e sharing a common core that they can customise (this is certainly the vision\n\u003e and general direction for bitcoinj, and it's working out OK).\n\u003e\n\u003e To clarify, my comments above were for mainstream granny-focused wallets.\n\u003e Wallets designed for crypto geeks can and should expose all the knobs to\n\u003e let people run wild.\n\u003e\n\nI hear that. But I don't see why mainstream wallets and wallets\ndesigned for crypto research should not share a common core. Nor do I\nunderstand why having a common core for different types of wallets\nshould be reserved for BitcoinJ.\n\nWhen Bitcoin was pretty new, having a less customizable core did\nprobably have more of a merit in order to achieve network stability\nthrough monoculture. But as of today, Bitcoin has proven itself as\nbeing capable of allowing a variety of client application to run on\nthe network, so why should the reference implementation not reflect\nthis kind of diversity? The policy the mainstream distribution imposes\nupon the core can still be rather restrictive.\n\n\u003e One possible direction to go is to use Tor for writing to the network and\n\u003e use general link encryption and better Bloom filtering for reading it. Thus\n\u003e new transactions would pop out of Tor exits, but there isn't much they can\n\u003e do that's malicious there except mutate them or block them entirely. If you\n\u003e insert the same transaction into the P2P network via say 10 randomly chosen\n\u003e exits, the worst a malicious mutator can do is race the real transaction\n\u003e and that's no different to a malicious P2P node. Even in a world where an\n\u003e attacker has DoS-banned a lot of nodes and now controls your TX submission\n\u003e path entirely, it's hard to see how it helps them.\n\u003e\n\nIt might deserve some research in order to determine how Tor's\nprivacy guarantees might be impacted if we allow attackers to mess\naround with exit node choices in a rather predictable and low-cost\nmanner. Unfortunately, I can't think of another (non-Bitcoin)\napplication which puts Tor to a similar test.\n\n\u003e The nice thing about the above approach is that it solves the latency\n\u003e problems. Startup speed is really an issue for reading from the network:\n\u003e just syncing the block chain is already enough of a speed hit without\n\u003e adding consensus sync as well. But if you're syncing the block chain via\n\u003e the clearnet you can connect to Tor in parallel so that by the time the\n\u003e user has scanned a QR code, verified the details on the screen and then\n\u003e pressed the Pay button, you have a warm connection and can upload the TX\n\u003e through that. It reduces the level of startup time optimisation needed,\n\u003e although Tor consensus download is still too slow even to race a QR code\n\u003e scan at the moment. I think tuning the consensus caching process and\n\u003e switching to a fresh one on the fly might be the way to go.\n\u003e\n\nI do agree that hybrid clearnet/Tor approaches come with interesting\nperformance properties.\n\n\u003e When BIP70 is in use, you wouldn't write the tx to the network yourself but\n\u003e you could download the PaymentRequest and upload the Payment message via an\n\u003e SSLd Tor connection to the merchant. Then malicious exits can only DoS you\n\u003e but not do anything else so there's no need for multiple exit paths\n\u003e simultaneously.\n\u003e\n\nBIP70 is interesting, indeed, although I still fail to understand why\n(according to the specs I saw) the PaymentRequest message is signed,\nbut not the Payment message.\n\nBut in context of the discussed protocol issues, I think it just moves\nthe issue from the payer to the payee, so it may or may not partially\nrelieve network-related issues, depending on the usage scenario.\n\nBest regards,\n\nIsidor",
"sig": "0b55bf2940a5c7b3d3f3585f5f642aa354354553d53ce4f0fdc9c6fe13a8e78b921b1ef3ac11ba09668daa324d75eb4898cbabe03962f3df1bd557d60537a846"
}