Topic: Confusing SPV server spies? (Read 387 times)

True. My recommended method is running full node + electrs through Tor which is automatically accessible from anywhere. No need to setup tunneling manually or any sorts of open ports.

IMO, it would be superior to run a node at home, or even on a VPS, and connect to it via a light client. You could only allow your devices to connect a light node to reduce resource demand.

The above would reduce battery use on your mobile device, and you wouldn’t be subjected to having to use a lot of data. Mobile internet connections are also typically less private, and connecting to a home computer would hide the fact that you are using bitcoin, compared to it being public to anyone watching your internet connection.

I think most people are not sufficiently concerned about privacy to even bother doing the above and will just use a light client.

This can just always happen at night or when charging & not using the phone + if WiFi is available.
Phones already do this for backups. They wait for a time when the user is not using the device, it is charging AND on WiFi. Then it uploads hundreds of GB into their cloud storage. Not that I'd recommend it, but it seems feasible and is done in practice already.

Yes, I envision you will have to download the day's new blocks. It's not for everyone for sure.

It really only makes sense if you have e.g. uncapped data or WiFi on the go (office, coffee shop, most places have WiFi) and somehow don't want to run a node at home and tunnel through Tor.

I don't think a pruned mobile device that is not connected to the network ~all the time is a very good idea. The times in which the cost of data (both in terms of battery consumption and in terms of cost/unit of data) is the highest (eg, when someone is away from home) is also the time when someone with a mobile device is going to need an up to date version of the (pruned) blockchain. So someone might be able to have a fairly recent version of the blockchain as of every morning, however, they will need to download and process the last several blocks whenever they are going to be receiving a transaction.

The issue is not only a storage issue, it is the whole downloading a lot of data and verifying it which takes a lot of time, computing power and consumes a lot of your internet traffic (most plans have a cap). On a phone it would eat your battery too.
Even after fully synchronizing with the network you still have to continue syncing and relaying transactions (have a mempool).

I have a suggestion that I think is rarely considered: running a pruned full node on devices that don't have the disk space for the whole blockchain. Maybe it doesn't help the network, but for you it won't really be any worse than non-pruned. And you could install it on a laptop, tablet and even a phone.

A while back I thought about implementing an iOS or Android 'pruned full node' application that can be scheduled for 'sync times' like overnight, and after a few days you will have the latest UTXO set. I'm not confident I have the time for such a big side project at the moment, though. And you gotta maintain these things....

Perfectly valid concern.

I would argue that Tor or any browsers of that sort does enough to obfuscate the data such that an adversary wouldn't really be able to correlate the data on a large scale. If that is indeed a threat, then using those SPV wallets which leaks privacy wouldn't be suitable and there are far better things to worry about so this wouldn't really come up as an issue.

One big problem I see is that Electrum can work well as it is, hence this kind of changes may never be seen as important/high priority.
And the fact they require a lot of rewriting/work makes it even worse. Still, one can hope..

Until then local node is one solution at hand.

Of this I'm agreed. You absolutely need to run your own node to avoid all this mess when it comes to checking the balances of your addresses.

I meant that whether you broadcast it through a block chain explorer or directly to the Bitcoin network, it's the same thing privacy-wise[1]. The explorer doesn't know anything just like when your node receives transactions that then re-shares.

I just said that I'm sure you can choose a node and send it directly without any explorers. There was even a project dedicated to broadcasting transactions.

---

[1] If everything done through Tor.

Then run your own node. No one knows which addresses you are looking up for balances, since you are looking them up locally.

All these sites are doing is broadcasting the transaction via their own node. If you are going to use someone else's node, then you are always going to have to go through them (or some other third party) to do it. If you don't want to do that, then the only remaining option is to run your own node.

By the same reasoning, what if the entire Bitcoin network is consisted of honey pots? What makes you feel safe and private in that case? You'll use those block chain explorers to just broadcast a transaction anonymously. You don't care what they'll do with it later just like you don't care when your node broadcasts transactions.

Broadcasting through a block chain explorer is a solution, however I'm sure you can send it directly to the network, without this kind of site-intermediary.

If you were to use an online tool to broadcast bitcoin transactions and want to maximize privacy it is best to use their API instead of their webpage because through the API and using a simple app all the privacy leaking methods (cookies, browser exploits, JavaScript exploits, WebRTC exploits, browser fingerprinting,...) will be eliminated all at once simply because that way you know what you are sending them whereas it is very hard to know everything your browser sends them even if you are using a privacy oriented one with privacy related extensions.

The point BlackHatCoiner was making that I was responding to is why do we have to broadcast our transactions through the same SPV servers which we use to obtain balance and transaction history for Electrum wallets. Doing what I have suggested here solves that issue. For safety reasons, you should assume that every block explorer is collecting and sharing your data, just as you should assume that every SPV server is collecting and sharing your data.

As ranochigo has said, if you use connect to one of these sites via Tor to broadcast a transaction, then the site in question will only obtain the same information that everyone would be able to obtain when the transaction is broadcast through the network.

They are. Broadcasting transactions generally won't leak privacy more than your SPV wallets. Even if they were to collect data, they would only get as much data as your browser leaks, which in the case of privacy conscious ones, it isn't that much. I would recommend using a privacy-centric browser and using a new identity for each session, which in normal circumstances can't provide sufficient data regardless.

That's one way to approach it if you don't want privacy-infringing Electrum servers to get certain data from you. But what if some or all of those blockchain explorers are also honeypots that collect, store, and share user data with companies and agencies interested in conducting various kinds of analysis? You will be avoiding one problem but creating another one elsewhere...   

We need more contributors to Electrum project to implement these things because these 3 alone require a total rewrite of parts of the communication protocol used by Electrum clients. You would also have to add DNS digging, peer finding and the handshake process of full nodes for the last item.
I would have done it if I knew python...

I will not come with much of ideas, I'll just draw my conclusion.

While making another tool won't help much, doing changes in Electrum for

* maybe querying different addresses from different servers (where possible the same address from the same server always)
* maybe querying random useless addresses too
* broadcasting through actual bitcoin peers

could get us somewhere.

And then the next step should be to offer more log-free electrum servers to the ecosystem, maybe especially on clear net (because there tend to be most users).

Well, this depends on whom you are being targeted by.

There is a huge difference between being swept up in one of the many different mass surveillance programs being run by many different governments, and being targeted specifically as an individual by an FBI investigation or similar. For the vast majority of people, who are not doing anything illegal, it is the lower level mass surveillance and general unwarranted invasion of privacy that you want to avoid. You can absolutely avoid this through using Tor, running your own node, mixing and coinjoining, being careful with your transactions, etc. These mass surveillance programs do not have the time or resources to investigate every person who makes themselves hard to trace. They are not designed to fight crime, prevent terrorism, catch pedophiles, and so on. They are designed for population control, and covering 99% of the population is sufficient to do that.

If, on the other hand, you are already being targeted specifically, then you probably have much bigger things to worry about than the privacy of your bitcoin transactions.

An analogy might be whether it is Facebook or your government who are trying to track your internet activity. If you don't have a Facebook account, never visit Facebook, block all Facebook trackers and ads, make sure your devices have no Facebook apps or software on them, and so on, then you'll do a very good job of keeping Facebook out of your life. But for a government agency pulling data from your ISP, then this is all irrelevant.

Giving emphasis here. Truth be told, there's no way to hide yourself with bitcoin from government's surveillance agencies. Even if you go exclusively through Tor, mix coins, run both bitcoin and lightning node etc. There are always footprints left and even if they can't track you down, they can track the rest 99% who will have handed out KYC, IP addresses, reused addresses etc. Once they will have dismissed the 99% it will be easier to dive into that 1%.

I've said this before and I'll repeat;

Bitcoin doesn't.

Well yeah, it is important to be aware of all the different ways you can leak information. Running your own node to avoid a malicious SPV server solves that problem, but you can still leak information from transaction heuristics, blockchain analysis,  interacting with centralized services,  completing KYC or handing out shipping addresses, and so on.

Just as running your own node does nothing to protect your privacy from using mixed coins and unmixed coins together as inputs in the same transaction, making untraceable purchases does nothing to protect your privacy from a malicious SPV server.

Nothing short of mixing your coins after every transaction and running your own node will fix the problem.
Everything else just makes it harder to be tracked.

And that still comes back to who is tracking you. Big government or your ex wife.
Not to mention this all assumes you are not making traceable purchases.

-Dave

In addition to the replies above, if you don't want to broadcast a transaction via Electrum, then once you have signed it you can simply export the raw transaction hex and then use a link such as one of the following to broadcast it instead:
https://mempool.space/tx/push
https://blockchair.com/broadcast
https://blockstream.info/tx/push
https://coinb.in/#broadcast

You can do things such as alternate SPV servers each time you make a query to reduce the amount of information any single entity will collect about you.[/quote]
In addition to different servers, it would be wise to use a different Tor circuit for each query. Querying only a single address at a time is not the usual behavior of most users, and so would stand out from the crowd. The same IP address querying a single address each time would be fairly easy to link, especially since given the limited number of Electrum servers you will still end up using the same one repeatedly.

The bottom line is all of these methods are complicated, time consuming, and do not actually fix the problem.

The problem with your suggestion is that it is not possible to know which other addresses received transactions around the same time your address received a transaction. If you had this information, you would not need to query an SPV server in the first place because you would have access to all transaction information.

Even waiting until your address has received a transaction is difficult because, in most cases, you will not know for sure if you have actually received a transaction (if you knew you did, why would you be asking an SPV server for this information?) -- you might have been told that a transaction was sent to you, however in these cases, there will sometimes be a delay between when someone tells you they sent a transaction, and when a transaction is first seen on the network.

---

SPV nodes, by their nature trade privacy for resources required to run the node.

I think the best way to maximize privacy while using an SPV client (given the limitations of SPV clients) is to query a single address at a time after you have reason to believe the address has received a transaction. You can do things such as alternate SPV servers each time you make a query to reduce the amount of information any single entity will collect about you.

They are not "servers" that run separately from the network, they are simply bitcoin full nodes that are part of the bitcoin network. When you send your transaction to a Electrum node you are sending it to the bitcoin network. The only difference is that these full nodes have an extra layer which has implemented Electrum protocol.

You can technically connect to any other regular full node and send your transaction that way but it would only complicate client implementation and your client has to perform extra steps and this whole process's contribution to your privacy is very small so it is not worth implementing.

There is no point trying to obfuscate addresses by sending redundant data, that would just massively increase server load for honest SPV servers while doing little to nothing for the malicious SPV servers. You absolutely can push your transactions to a random node, assuming you're not actively having a targeted sybil attack on you. There was a wallet that actually did exactly this, but I forgot what wallet it was (only vaguely remember looking through the code for that).

The problem is that bloom filter or whatever methods being used by most wallets uses are fundamentally flawed. The onus should be on the wallet to change their ways of querying the server in a bid to improve privacy. Wasabi for example, uses BIP158 which requests for the entire block as well as additional decoys from their peers. This would be far more effective at tackling the root of the issue.

Let's say the bot always queries the same addresses. So every time I query addresses 1, 2, and 3, my bot queries addresses 6, 8, and 2. That doesn't do much for my privacy - addresses 1, 2, and 3, are still linked together by the malicious server, even if it wrongly thinks addresses 6 and 8 are also linked.

Let's say on the other hand, the bot queries different addresses. So the first time I query addresses 1, 2, and 3, and my bot queries address 6, 8, and 2. The next time I connect, I still query 1, 2, and 3, but my bot queries 5, 9, and 1. The next time, 1, 2, 3, and 4, 8, 9. Over time, it is obvious which addresses are the ones I am actually interested in and which are just being added to obfuscate things.

There is also the issue as PN7 rightly points out, that your bot will be querying addresses which have either already received a transaction or will never receive a transaction, whereas you will likely be querying addresses which have not received a transaction but then later do. The way around both these issues that I see would be to create a wallet while offline, pull out a single address to use, and then only after you have received coins to that address, import that address to a new watch only wallet along with 10+ other random addresses which first received coins around the same time as your address did. Then you would be querying 10+ unrelated addresses, all of which were brand new but just received coins around the same time. This is still far from perfect though and seems like an incredibly clunky way to do things when you could just run your own node instead.

I don't think it would work very well.

I don't think a spying SPV server is going to care about any address query of an address that has already received one or more transactions. By the time an address receives a transaction, it will be public knowledge that the address exists.

I think it would be more efficient for a spying SPV server to keep track of unfunded (never used) addresses that receive a transaction after an inquiry is made about the address. So if Bob asks about a particular address that has never been used, that later receives a transaction, there is a very small number of people who would know ahead of time that address will receive a transaction.

The above is possible because SPV nodes will ask about all addresses that have been used plus additional x addresses (the gap limit).

Again, I know how the protocol is written, but I don't understand why it's written that way. Why can't it connect with the peers from the Bitcoin network? It doesn't have to receive any blocks just to send them a transaction. It remains a lightweight client, it just doesn't send the transaction to a server, but broadcasts them instead.

The lightweight client could also have the set of rules and could return an error in case the full nodes you sent the transaction reject it.

You don't need to run a node to have a list of peers.

Because that is how the protocol was written. The client just has a list of private keys and knows nothing else.

If you want to create the transaction and send it there are many places that you can do that manually. But if there is an issue you have to track it down and figure it out yourself.
If you are sending it out through a fully synced node that has a known set of protocols / commands then is there is an issue you can reply with a known error code.

Otherwise if you want to transmit to the network you still need a list of nodes that will accept it, or you have to run your own node or at least get a list of peers you can transmit to.

Or you can just run your own full node and call it a day. As has been discussed, you can get an old machine with a 1TB drive for well under $100 and do it yourself if you are worried.

I just setup an electrum server last night for a test. Went for an old Dell 3rd gen core i5 laptop $45 and and used an old spinning drive that I had sitting around. But if I needed the drive it would have only been another $25 or so. If you are concerned about privacy then it's not that difficult to do. I cheat and just copy the blockchain from an existing node I have but outside the sync time it's not that long a process and not that tough. What I wanted to do didn't work but that's another story.

-Dave

I know how they work, what I don't understand is why you should send the transaction raw to an SPV server which will then send it to the Bitcoin network. Why don't you send it to the Bitcoin network in the first place?

The SPV server's job should only be to return you your balance.

Because that is how electrum (and other light wallets) work.
They don't hold any blockchain data and connect to the servers to get balances and transmit transactions.

You can get around this by running your own server but at that point you don't have to worry about SPV spies.

Side note, but if you are concerned about privacy when using things that rely on other servers then you should be sure your client allows you to select which server you connect to.

-Dave

Yeah, about that... Why do the transaction has to necessarily be transmitted through an SPV server?

In addition to the Electrum SPV servers, now there is also a bot that knows the IP addresses of those who connect to it (unless TOR or VPN is used).
It will make surveillance a little less hard, but it's safe to assume that among those addresses that will be queried, Alice or Bob will also check on the balance of their own set of addresses.   

You don't but at least you can reduce the risk of being connected to the same entity by choosing another Electrum node. It is also possible to connect to any regular nodes (not Electrum ones) and send your transaction to them by sending a tx message which would reduce the risk even more.

How do you know that the other node doesn't belong to the same evil spying entity?

They would only ban you if you are spamming them with requests. There is no need to do that, the bot could add a long delay and query each node for addresses once.
But I agree that this doesn't seem like a productive way.

In my opinion the best option still remains to be including more irrelevant addresses in your query somehow. For example your own client could ask bc1q6, bc1q8, bc1q2 balances where bc1q6, bc1q8 are not yours and then when spending from bc1q2 it broadcasts the tx to another node.

They will still know what addresses are connected when you make and sign a transaction that is transmitted through their server.
And
If you just keep making queries and never send a TX it would be trivial to figure out that they are just bots.
And
If you ask about some of my addresses that are going out through a known server then they know at that point that you are not 100% legit. So if other addresses are known to be transacting through certain servers and you ask about them it will also be obvious that you are just looking.

I'm sure there are more issues out there too with this.
Good in theory, do not see any real way of implementing it.

-Dave

It would probably still be easy to separate the two/three/etc. given some time. The nodes would also start banning you. In theory PIR could be better if it could work in practice (resources being the limit). Best to just run your own node.

I was wondering if it'd be effective to enhance everyone's privacy by making the chain analysis companies' job harder. Say, for instance, to setup a bot that randomly picks funded addresses and queries them into those SPV servers.

Example:  Bob is the owner of bc1q1, bc1q2 and bc1q3. Alice is the owner of bc1q4, bc1q5, bc1q6. Charlie is the owner of bc1q7, bc1q8, bc1q9.

If they select a server, which is a spy one in this case, their addresses will be linked and they will, therefore, lose privacy. What I propose is to setup a bot that queries those addresses in a random order to make it harder for the server to recognize which address is who.

Bob's query:
Give me the balances of bc1q1, bc1q2 and bc1q3.

Bot's query:
Give me the balances of bc1q6, bc1q8, bc1q2.

etc. Can this really work in the least or there's a flaw I have not thought of?