sajolida: > Minoru: >> sajolida, >> >> I agree with your changes so far. The reason for the specific >> explanation is that Electrum over Tor is extremely vulnerable to >> attack. If you read the article http://arxiv.org/pdf/1410.6079v2.pdf >> it only takes 2500 USD and publicly available information to have >> complete control over which Bitcoin blocks and transactions users are >> aware of. Would you still be interested in the additional documentation >> that I proposed? I wanted to add three subsections to the Electrum >> documentation focused on Tor DoS on SPV: >> 1. Explain block confirmations (temporary fix for Electrum displaying >> money that you actually do not have) >> 2. Explain watching-only wallets (temporary fix for Electrum not >> displaying money that you actually do have) >> 3. Explain a possible long term solution to this problem by using >> trusted Electrum servers accessed by a Tor hidden service (I might >> remove this point because I'm not sure if it is currently possible >> execute this solution since not many .onion Electrum servers exist and >> it is difficult to trust centralized services) >> I understand that you want to keep the documentation short and easy to >> understand, but Electrum over Tor using SPV has a serious vulnerability >> that needs a little more documentation to help users avoid the negative >> effects of DoS. > > Thanks for following up on this. I'm still trying to understand the > issue as I'm far from being a bitcoin expert. This whole issue is still > quite fresh and I want to be sure that we first understand it correctly, > and then put our energy in the best place to fix it. > > I'm worried about providing too much scary information that our users > cannot act upon. Because giving people gory details about how they could > be attacked might not be the best thing to do if they cannot do anything > to protect themselves from such an attack. And if we believe Electrum in > Tails is not good enough then we should remove it, but I think we're not > there yet. > > I read the thread on tor-talk about that: > https://lists.torproject.org/pipermail/tor-talk/2014-October/thread.html#35329 > > And if I understand correctly, if this attack was to be conducted it > would affect *all* bitcoin users over Tor. It is not a targeted attack > at only some individuals, right? > > I also understood that a workaround would be to rely on a list of > decentralized hidden services to mitigate the DoS power that exit nodes > could have. > > So to be more useful to our users, what could you do, as a user of Tails > 1.3, to protect yourself against such an attack? For example, is it > possible to configure more hidden services for Electrum to use? If so, > could we provide this as a fix in 1.3.1 for everybody? Could it be fixed > upstream by the Electrum people? > Also: the problem should probably de documented upstream (electrum/bittorent page / wikipedia/ somewhere?) and we could just link to the detailed explanation.
Cheers, BitingBird _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
