The problem can be summarized by the following quote: “By exploiting Bitcoin’s anti-DoS protection a low-resource attacker can force users which decide to connect to the Bitcoin network through Tor to connect exclusively through her Tor Exit nodes or to her Bitcoin peers, totally isolating the client from the rest of the Bitcoin P2P network. This means that combining Tor with Bitcoin may have serious security implications for the users: 1) they are exposed to attacks in which an attacker controls which Bitcoin blocks and transactions the users is aware of; 2) they do not get the expected level of anonymity. ”
I proposed documenting two more features of Electrum to help solve the first problem. “The second main contribution is a fingerprinting technique for Bitcoin users by setting an “address cookie” on the user’s computer. This can be used to correlate the same user across different sessions, even if he uses Tor, hidden-services or multiple proxies. ” I have never heard of this attack before reading this article. I am not sure if Electum is vulnerable to this cookie or if it could be saved in Tails persistence. My guess is that this vulnerability is just for full nodes or Bitcoin Core clients. A possible long-term solution would be to find trusted Electrum server onion addresses and start Electrum with a command that forces it to connect to that server. The traffic would be encrypted and authenticated. Unfortunately, not many servers exist and it is difficult to trust centralized services. On Sat, 21 Feb 2015 17:58:36 +0000 Minoru <[email protected]> wrote: > The article is attached to this email, but you can also find it at > http://arxiv.org/pdf/1410.6079v2.pdf. > > I found an article by Alex Biryukov and Ivan Pustogarov that points > out how easy it would be to perform an attack on an SPV wallet (such > as Electrum) connected through the Tor network. I believe that > bitcoin is important to the Tails mission, so Tails should continue > to support Electrum, but we need to work towards a long-term solution > to this problem. So far, we have the SPV vulnerability documented in > Tails 1.3. For Tails 1.3.1, I am going to write some more > documentation such as waiting for block confirmations and how to > transfer a watching-only copy of a wallet to another computer. _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
