* [Bitcoin-development] Tor / SPV
@ 2014-01-15 22:51 Mike Hearn
2014-01-15 23:07 ` Brooks Boyd
` (2 more replies)
0 siblings, 3 replies; 10+ messages in thread
From: Mike Hearn @ 2014-01-15 22:51 UTC (permalink / raw)
To: bitcoin-development
[-- Attachment #1.1: Type: text/plain, Size: 6621 bytes --]
intro text starts here, protocol upgrade proposal starts further down
Recently on IRC we have discussed what it'd take to use SSL on P2P connections, the goal being encryption and authentication of traffic to help avoid passive wiretapping and sybil attacks.
Gregory pointed out - very reasonably - that OpenSSL is huge and very old-school C, meaning that using it to implement SSL would put a big piece of code exposed to the internet into the same process as people’s wallets. This would be not excellent. Also, even with encryption, with SSL you only get some resistance to traffic analysis. And it'd be a complicated upgrade.
Tor is an option, but it has other disadvantages:
1) Also a giant piece of C that is likely to contain bugs
2) Breaks our anti-sybil heuristics when connecting to hidden services
3) MITM very likely when not connecting to hidden services
4) Is not usable as a library at all. Convention to use Tor is "tell user to start TorBrowser and connect to the SOCKS port".
The latter point means in reality hardly anyone will ever connect via Tor, as you'd have to do extra setup and most people are lazy. Especially it's not going to work on mobile. It’s not worth doing something complicated if hardly anyone would use it.
But recently I discovered this interesting piece of code:
http://www.subgraph.com/orchid.html
It is a pure Java implementation of the Tor protocol (client only, no relays), easily usable as a library. Sure enough after about an hour of fiddling around, I now have a bitcoinj that connects via Tor with no other software running.
Suddenly making MultiBit, the Android Bitcoin Wallet app, Hive and other bitcoinj based wallets use Tor by default seems very plausible.
So I started thinking about what it'd take to switch this on for everyone. The biggest problem is that SPV wallets can't verify unconfirmed/pending transactions for themselves, so they rely on counting the number of peers that announced it and assuming that their internet connections aren't being tampered with. Mostly this assumption is a good one - we have never heard anyone report that they were paid with a fake pending tx using a MITM attack.
However, with Tor the chance of being MITMd goes up dramatically. Lots of people have reported exit nodes that are doing SSL stripping. Being sybilled when using exit nodes seems rather likely.
Connecting to hidden services solve the MITM problem but screws you in a different way. Bitcoin Core has some weak heuristics in the code to try and ensure we don’t accidentally connect to nodes all controlled by the same guys … mostly by trying to keep a good mix of /16s. This is probably not very hard to defeat, but it does at least raise the bar beyond “buy lots of amazon VMs”. With hidden services we lose that. Also, there aren’t very many nodes running as hidden services - if all bitcoinjs started hitting them simultaneously they’d probably die.
tl;dr the proposal starts here
Let’s fix this so SPV wallets can use Tor by default. Downgrading things is not an option, it must be pure upgrade. We can do it like this:
1) Firstly, we observe that MITM only matters when we’re trying to count pending transaction announcements, but most of the load SPV wallets impose on the network is chain filtering. So it’s OK to download the chain from any arbitrary clearnet IP via Tor because we’re checking Merkle branches. This ensures we won’t put excessive load on hidden service nodes.
2) Secondly, we bump the protocol version, add a service flag and introduce a new P2P protocol command “tor?”. If a client sends a tor? message to a node that has the new service flag set, it will respond with a new “tor” message that contains a regular addr packet, with a single address, the IPv6-ified version of its hidden service name.
3) SPV wallets that want to get a good mix of nodes for measuring pending transactions identify nodes on the clearnet via their addr announcements+service flag, in the normal way. They select some of these nodes using the standard clearnet anti-sybil heuristics and connect without using Tor. They proceed to query them for their hidden service key. After they’ve done that, they record the public IP->hidden service mapping and can go ahead and connect back to them at any later time via Tor itself.
This would seem to be pointless - did we not just go ahead and bypass Tor entirely, thus making neither node hidden? Is it not a dead cert that the next connection the node gets via Tor is likely the same computer? Yes, but it only matters the first time. As long as those nodes are somewhat stable the mapping will be recorded on disk and the next time the wallet starts, it’ll skip straight to using Tor.
The goal of all that is that we get to keep our existing IPv4 based anti-sybil heuristics, so we can’t possibly make anything worse, only better. Plus, we’ve now set things up so in future if/when we come up with a better anti-sybil system based on anonymous identities or other fancy crypto, we can take out the “connect via clearnet” step and go straight to using hidden services with only a very small set of code changes and no new protocol work.
I like this idea for several reasons:
It feels implementable to me in about a couple of weeks wall-time. The tasks are small - the new tor? p2p message is super easy to implement because a node already knows if it’s a hidden service or not. On the bitcoinj side, it’d take a bit of work to implement the extra storage of IPv4->onion mappings and ensure the right kind of connection is used at the right time, but it’s not all that hard.
We could switch Tor on by default for a lot of users.
On the bitcoind side, Tor runs as a separate process and because it initiates connections to bitcoind, it can be easily sandboxed, e.g. ran as a different UNIX user or even run inside a chroot/ptrace jail. Even though Tor is likely to contain exploits, we can easily keep them away from the wallet. So there’s not much additional surface area.
Obviously as it’s pure Java and client only, Orchid is immune to buffer overflows/double frees and other such security problems.
It’s optional for all parties. Wallet clients can try to fall back to non-Tor usage if their access to Tor seems to be blocked somehow.
Tor is the gold standard for resisting traffic analysis - we know thanks to Snowden that it’s good at this task.
To launch I’d probably have a percentage throttle hosted on some SSLd website, so we can control the load placed on the existing hidden service nodes.
Feedback welcome.
[-- Attachment #1.2: Type: text/html, Size: 11922 bytes --]
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 7453 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 22:51 [Bitcoin-development] Tor / SPV Mike Hearn
@ 2014-01-15 23:07 ` Brooks Boyd
2014-01-15 23:32 ` Mike Hearn
2014-01-16 3:54 ` Isidor Zeuner
2014-01-15 23:37 ` Robert McKay
2014-01-16 4:29 ` Miron
2 siblings, 2 replies; 10+ messages in thread
From: Brooks Boyd @ 2014-01-15 23:07 UTC (permalink / raw)
To: bitcoin-development
[-- Attachment #1: Type: text/plain, Size: 1083 bytes --]
>
> 2) Secondly, we bump the protocol version, add a service flag and
> introduce a new P2P protocol command “tor?”. If a client sends a tor?
> message to a node that has the new service flag set, it will respond with a
> new “tor” message that contains a regular addr packet, with a single
> address, the IPv6-ified version of its hidden service name.
>
Rather than a separate message type that implies binding a clearnet IP to a
hidden service ID, why not add the service flag that the peer would like
Tor addresses, and the remote peer can then add IPv6-ified hidden service
addresses to "addr" messages? May need to modify the network address format
to include the ability to differentiate IPv6 clearnet vs. Tor addresses,
but then you remove the implication that a node has to give both public and
private IPs to a peer. If it's part of a batch of "addr"s, it could be my
own hidden service ID, but it could also be one that I learned from someone
else and is now propagating, for anyone to bootstrap with Tor hidden
service peers if they'd like.
Brooks
[-- Attachment #2: Type: text/html, Size: 1525 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 23:07 ` Brooks Boyd
@ 2014-01-15 23:32 ` Mike Hearn
2014-01-16 2:26 ` Brooks Boyd
2014-01-16 3:54 ` Isidor Zeuner
1 sibling, 1 reply; 10+ messages in thread
From: Mike Hearn @ 2014-01-15 23:32 UTC (permalink / raw)
To: Brooks Boyd; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]
>
> May need to modify the network address format to include the ability to
> differentiate IPv6 clearnet vs. Tor addresses
>
sipa already implemented some clever hack where the 80-bit Tor keys are
mapped to a subregion of reserved IPv6 space, giving magical IPv6 hidden
service addresses. So addr packets can and do already contain onion
addresses.
> but then you remove the implication that a node has to give both public
> and private IPs to a peer. If it's part of a batch of "addr"s, it could be
> my own hidden service ID, but it could also be one that I learned from
> someone else and is now propagating, for anyone to bootstrap with Tor
> hidden service peers if they'd like.
>
Hmm. So you mean that we pick a set of peers we believe to not be sybils of
each other, but they might give us hidden services run by other people? I
need to think about that. If they're getting the hidden services just from
addr announcements themselves, then you just punt the issue up a layer -
what stops me generating 10000 hidden service keys that all map to my same
malicious node, announcing them, and then waiting for the traffic to
arrive? If clearnet nodes inform of their own hidden service IDs, that
issue is avoided.
My goal here is not necessarily to hide P2P nodes - we still need lots of
clearnet P2P nodes for the forseeable future no matter what. Rather we're
just using hidden services as a way to get authentication and encryption.
Actually the 6-hop hidden service circuits are overkill for this
application, a 3-hop circuit would work just as well for most nodes that
aren't Tor-exclusive.
[-- Attachment #2: Type: text/html, Size: 2127 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 22:51 [Bitcoin-development] Tor / SPV Mike Hearn
2014-01-15 23:07 ` Brooks Boyd
@ 2014-01-15 23:37 ` Robert McKay
2014-01-16 4:29 ` Miron
2 siblings, 0 replies; 10+ messages in thread
From: Robert McKay @ 2014-01-15 23:37 UTC (permalink / raw)
To: Mike Hearn; +Cc: bitcoin-development
On Wed, 15 Jan 2014 23:51:21 +0100, Mike Hearn wrote:
> The goal of all that is that we get to keep our existing IPv4 based
> anti-sybil heuristics, so we can’t possibly make anything worse,
> only better. Plus, we’ve now set things up so in future if/when we
> come up with a better anti-sybil system based on anonymous identities
> or other fancy crypto, we can take out the “connect via clearnet”
> step and go straight to using hidden services with only a very small
> set of code changes and no new protocol work.
I think it might be ok to use proof-of-stake on as an anti-sybil scheme
on tor.. people would obviously not want to associate their wallet with
their IP address, but is there any harm in associating it with a
(temporary) tor service id (especially one that isn't used for anything
other than relaying bitcoin transactions)? If each node you connect too
can sign some challenge with a key that controls some BTC (and your
client node verifies that the funds are different) then that might be
useful.. even if it were only a small 0.01BTC stake that would be
similar to the cost of obtaining another IP through a cheap VPS or VPN
and significantly higher than the cost to an attacker who is able to
MITM everything and operate on any IP anyway.
Rob
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 23:32 ` Mike Hearn
@ 2014-01-16 2:26 ` Brooks Boyd
2014-01-16 4:30 ` Miron
2014-01-16 10:25 ` Mike Hearn
0 siblings, 2 replies; 10+ messages in thread
From: Brooks Boyd @ 2014-01-16 2:26 UTC (permalink / raw)
To: bitcoin-development
[-- Attachment #1: Type: text/plain, Size: 1203 bytes --]
>
> My goal here is not necessarily to hide P2P nodes - we still need lots of
> clearnet P2P nodes for the forseeable future no matter what. Rather we're
> just using hidden services as a way to get authentication and encryption.
> Actually the 6-hop hidden service circuits are overkill for this
> application, a 3-hop circuit would work just as well for most nodes that
> aren't Tor-exclusive.
>
Ah, I see, so you're intending to use the Tor hidden services not for their
original purpose (hiding), but rather as as "authentication" (someone may
spoof my clearnet IP, but only I have the private key that makes this Tor
hidden service connect to me, so you can trust when you connect to it it's
really me). So if you trust the clearnet IP to be a friendly node, that
makes a more secure connection, but if you're already talking to a bad
node, moving the communication to Tor doesn't change that. I agree the
six-hop circuits would be overkill for that; I wonder if the network
slowdown you get on Tor will be worth the increased security? Yes, you'll
be more protected from MITM, but if this is widely adopted, would the
overall transactions/second the Bitcoin network could handle go down?
Brooks
[-- Attachment #2: Type: text/html, Size: 1665 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 23:07 ` Brooks Boyd
2014-01-15 23:32 ` Mike Hearn
@ 2014-01-16 3:54 ` Isidor Zeuner
1 sibling, 0 replies; 10+ messages in thread
From: Isidor Zeuner @ 2014-01-16 3:54 UTC (permalink / raw)
To: Bitcoin Dev
quote:
> > but then you remove the implication that a node has to give both public
> > and private IPs to a peer. If it's part of a batch of "addr"s, it could be
> > my own hidden service ID, but it could also be one that I learned from
> > someone else and is now propagating, for anyone to bootstrap with Tor
> > hidden service peers if they'd like.
> >
>
> Hmm. So you mean that we pick a set of peers we believe to not be sybils of
> each other, but they might give us hidden services run by other people? I
> need to think about that. If they're getting the hidden services just from
> addr announcements themselves, then you just punt the issue up a layer -
> what stops me generating 10000 hidden service keys that all map to my same
> malicious node, announcing them, and then waiting for the traffic to
> arrive? If clearnet nodes inform of their own hidden service IDs, that
> issue is avoided.
>
Considering that the clearnet sybil protection also relies on scaling
up the resource requirements for an attacker, why not require hidden
service addresses following a certain pattern, like a fixed prefix?
Essentially also a PoW scheme...
> My goal here is not necessarily to hide P2P nodes - we still need lots of
> clearnet P2P nodes for the forseeable future no matter what.
What would you consider as the main merits of clearnet nodes?
Best regards,
Isidor
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-15 22:51 [Bitcoin-development] Tor / SPV Mike Hearn
2014-01-15 23:07 ` Brooks Boyd
2014-01-15 23:37 ` Robert McKay
@ 2014-01-16 4:29 ` Miron
2014-01-16 4:40 ` Miron
2 siblings, 1 reply; 10+ messages in thread
From: Miron @ 2014-01-16 4:29 UTC (permalink / raw)
To: bitcoin-development
On Wed, 2014-01-15 at 23:51 +0100, Mike Hearn wrote:
...
> 3) SPV wallets that want to get a good mix of nodes for measuring
> pending transactions identify nodes on the clearnet via their addr
> announcements+service flag, in the normal way. They select some of
> these nodes using the standard clearnet anti-sybil heuristics and
> connect without using Tor. They proceed to query them for their hidden
The SPV node could connect to the IP using Tor. It would preserve the
privacy of the SPV node - hard to see it's running Bitcoin. It also
reduces the ability of an attacker to MITM because the routing varies
with each exit node.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-16 2:26 ` Brooks Boyd
@ 2014-01-16 4:30 ` Miron
2014-01-16 10:25 ` Mike Hearn
1 sibling, 0 replies; 10+ messages in thread
From: Miron @ 2014-01-16 4:30 UTC (permalink / raw)
To: Brooks Boyd; +Cc: bitcoin-development
On Wed, 2014-01-15 at 20:26 -0600, Brooks Boyd wrote:
> My goal here is not necessarily to hide P2P nodes - we still
> need lots of clearnet P2P nodes for the forseeable future no
> matter what. Rather we're just using hidden services as a way
> to get authentication and encryption. Actually the 6-hop
> hidden service circuits are overkill for this application, a
> 3-hop circuit would work just as well for most nodes that
> aren't Tor-exclusive.
>
>
>
...
> communication to Tor doesn't change that. I agree the six-hop circuits
> would be overkill for that; I wonder if the network slowdown you get
BTW, I believe that the number of hops can be reduced below 3 on both
sides (client/server). For Orchid, this will require a change to
CircuitPathChooser. For other Tor implementations, it might require
using the control port to custom-build a circuit.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-16 4:29 ` Miron
@ 2014-01-16 4:40 ` Miron
0 siblings, 0 replies; 10+ messages in thread
From: Miron @ 2014-01-16 4:40 UTC (permalink / raw)
To: bitcoin-development
On Wed, 2014-01-15 at 20:29 -0800, Miron wrote:
> On Wed, 2014-01-15 at 23:51 +0100, Mike Hearn wrote:
> ...
> > 3) SPV wallets that want to get a good mix of nodes for measuring
> > pending transactions identify nodes on the clearnet via their addr
> > announcements+service flag, in the normal way. They select some of
> > these nodes using the standard clearnet anti-sybil heuristics and
> > connect without using Tor. They proceed to query them for their hidden
>
> The SPV node could connect to the IP using Tor. It would preserve the
> privacy of the SPV node - hard to see it's running Bitcoin. It also
> reduces the ability of an attacker to MITM because the routing varies
> with each exit node.
>
It would also be good to gossip the mapping of (IP -> onion address).
This would allow detection of a future MITM, since the MITM can't spoof
the onion fingerprint.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [Bitcoin-development] Tor / SPV
2014-01-16 2:26 ` Brooks Boyd
2014-01-16 4:30 ` Miron
@ 2014-01-16 10:25 ` Mike Hearn
1 sibling, 0 replies; 10+ messages in thread
From: Mike Hearn @ 2014-01-16 10:25 UTC (permalink / raw)
To: Brooks Boyd; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 2005 bytes --]
Yes correct, using hidden services just as a kind of more complicated, out
of process/sandboxable SSL.
> would the overall transactions/second the Bitcoin network could handle go
> down?
>
If all nodes talked to each other all the time over Tor, probably yes
because Bitcoin is quite sensitive to latency. But what I'm proposing here
is less ambitious. It's just about protecting (parts of)
end-user-to-network communication, which is a much less risky sort of
change. P2P nodes would still talk to each other in the clear.
SSL for everything is still an idea I like, but it's true that increasing
bitcoind attack surface area is not something to take lightly.
Considering that the clearnet sybil protection also relies on scaling
> up the resource requirements for an attacker, why not require hidden
> service addresses following a certain pattern, like a fixed prefix?
I'm sure we can come up with all kinds of neat anti-sybil techniques, but
IMHO they are separate projects. I'm trying to find an upgrade that's small
enough to be easily switched on by default for lots of users, today, that
is low risk for the network overall. Later on we can add elaborations.
The SPV node could connect to the IP using Tor. It would preserve the
> privacy of the SPV node - hard to see it's running Bitcoin. It also
> reduces the ability of an attacker to MITM because the routing varies
> with each exit node.
Right so the key question is, to what extent does Tor open you up to MITM
attacks? I don't have a good feel for this. I read about exit nodes
routinely doing very naughty things, but I don't know how widespread that
is. Probably you're right that with random selection of exits you're not
excessively likely to get MITMd.
How does Tor itself manage anti-sybil? I know they have the directory
consensus and they measure nodes to ensure they're delivering the resources
they claim to have. Punting anti-sybil up to the Tor people and letting
them worry about it is quite an attractive idea.
[-- Attachment #2: Type: text/html, Size: 3264 bytes --]
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-01-16 10:25 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-15 22:51 [Bitcoin-development] Tor / SPV Mike Hearn
2014-01-15 23:07 ` Brooks Boyd
2014-01-15 23:32 ` Mike Hearn
2014-01-16 2:26 ` Brooks Boyd
2014-01-16 4:30 ` Miron
2014-01-16 10:25 ` Mike Hearn
2014-01-16 3:54 ` Isidor Zeuner
2014-01-15 23:37 ` Robert McKay
2014-01-16 4:29 ` Miron
2014-01-16 4:40 ` Miron
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox