NEW YORK (InsideBitcoins) — A new paper by Alex Biryukov and Ivan Pustogarov of the University of Luxembourg has claimed that “Bitcoin Over Tor isn’t a Good Idea.” Some of the key points made throughout the paper have to do with problems associated with Tor exit nodes, which have been known to be a source of MITM (“man in the middle”) attacks in the past. Although this paper has stirred up a bit of controversy in the bitcoin community, it seems that there is no cause for serious distress.
@jonmatonis That paper is misleading; Bitcoin is inherently resistant to MITM attacks; resisting them is the purpose of the blockchain.
— Peter Todd (@peterktodd) October 24, 2014
Why is bitcoin over Tor a bad idea?
The issues described in the paper from the academic duo revolve around two main points of attack: traffic analysis and sybil attacks. As many participants in the Reddit thread associated with the paper noted, traffic analysis has been a known issue with exit nodes. Bitcoin does not encrypt and authenticate traffic, but that is a proposed countermeasure to the solution offered at the end of the paper.
I reached out to noted bitcoin agitator Justus Ranvier for more details on the other attacks described in the paper. As he explained, “What this paper shows is that it’s relatively cheap for an attacker to get all Tor exit nodes banned by the network except the one the attacker controls, allowing the attacker to snoop on all Tor-to-clearnet bitcoin traffic. They also discuss some Sybil attacks that are applicable whether or not Tor is involved. Solving Sybil attacks in general is not a solved problem, regardless of what network is involved.”
Ranvier noted that a better name for the paper would have been “Tor Exit Nodes are a Problem, and so are Sybil Attacks.”
Tor exit nodes versus hidden services
One of the distinctions that needs to be made when it comes to using bitcoin over Tor is that the anonymity network works much better when you stay within the Tor ecosystem. Once you start to use exit nodes as a portal to the clearnet, you open yourself up to a wide range of issues that have been documented over the years. This was a key point that Justus Ranvier made when I asked him about the seriousness of the allegations made by the paper.
In regards to an attack involving a mass banning of other Tor exit nodes connected to the bitcoin network, Ranvier noted, “Only clients that use Tor to connect to clearnet nodes are affected [by this attack]. Clients that only connect to hidden services are not subject to this specific attack.”
In addition to explaining that hidden services users are not affected, Ranvier also pointed out, “If more than one attacker attempts this strategy at the same time, all of them will fail.”
Is there a need for more bitcoin nodes operating as hidden services?
Running a bitcoin node as a hidden service may seem like the right solution to the issues outlined in the paper, but Ranvier made it clear that it’s not that simple. He stated, “Staying entirely within Tor helps, but it’s not a perfect solution because it’s possible to conduct DoS attacks on the Tor hidden service directory, which is a general problem that needs to be addressed by the Tor project.”
Having said that, having more bitcoin nodes operate as hidden services would definitely be a move in the right direction. This would increase the total cost of such a DoS attack on the Tor hidden service directory. As the paper in question pointed out, “Fortunately for the attacker the fraction of Bitcoin peers available as Tor hidden services is quite small.” The authors continued, “This results in (1) a very small probability for a client to choose a peer available as a hidden service; (2) this makes black-holing of existing Bitcoin hidden services practical.”
Hidden services not affected?
As pointed out by Bitcoin Authenticator developer Chris Pacia on Reddit, traffic analysis over hidden services should also not be an issue, as long as the bitcoin user is also an experienced Tor user. By simply reconnecting to the bitcoin network with a new IP address for each transaction, a bitcoin user can make sure that the other nodes on the network cannot easily figure out the pseudonymous identity behind a multitude of bitcoin addresses.
Ranvier agrees with Pacia’s general sentiment, stating “If a client was smart enough to form a completely new connection to a random hidden service, broadcast its transaction, and then disconnect, then it would be difficult for the attacker to correlate transactions.”
Ranvier, who’s based in Austin, Texas, also noted a possible improvement for anonymity in bitcoin. He claimed, “Other than nobody has bothered to write the code, there is no inherent reason why a node needs to use the same set of connections to receive the blockchain as it uses to broadcast a new transaction.”
For now, it seems that Tor is still a viable option for those who wish to protect their financial privacy.
You can follow @kyletorpey on Twitter.
Photo credit: VeRoNiK@ GR