Topic: Electrum - Mixer Plugin for blockchain.info (Read 3550 times)

Since this (https://github.com/tkhaew/electrum/blob/mixer_plugin/plugins/mixer.py) is now apparently gone from where it was on github (and the version originally published had security issues), has a new version been planned or is one in the works?  As I understood it, the SharedCoin mixer operated by blockchain.info was compromised and could no longer be relied upon, and any new or similar implementations by blockchain.info would have needed a security audit, I think.  The problems of SharedCoin were described in more detail here: http://www.coinjoinsudoku.com/advisory/ (by K. Atlas)

Currently, there are working CoinJoin implementations:  one is currently being actively used and is known as JoinMarket -- https://github.com/JoinMarket-Org/joinmarket/ | http://joinmarket.io/ with regularly updated code,
and Javascript module with CoinJoin implementation at https://github.com/darkwallet/coinjoin.js last updated Oct. 2014.
(DW utilizes a CoinJoin but is currently in alpha and has last been updated Feb. 2015) https://github.com/darkwallet/darkwallet
Of these, the JoinMarket is the one that appears to be in most active use.

I am curious you have any plans to redo the mixer.py utilizing joinmarket or dw's coinjoin.js?

Note / edit:  Please see also the post on the electrum plugin in development similar to what you did, at:
https://bitcointalksearch.org/topic/m.13668822

hmm, well this needs to be looked at again.  I am not the code author but I like most all of what it presents.

I will be looking at it close to the end of this year again.

Hi, this looks really good, but I can't seem to get it to work. I am using Electrum 1.9.8 on Windows 7 and put the mixer.py file in the plugins folder. After restarting Electrum it still does not appear in the Plugin list and under "send" the "via mixer" button isn't there. Is there some special steps I need to follow to get this to work? And should this work on Android as well?

Oh, and I made sure to download the one from your second link that says it doesn't require a special fork and I made sure I have the most recent version.

It would be more accurate to say that the functionality offered by SharedCoin could be compromised by determined actors with time and money, as it was never intended to provide anonymity as implemented by blockchain.info. ~ a story on it ran some time ago (June of 2014) and was widely circulated based on the coindesk article below which is accurate in its summary:
http://www.coindesk.com/blockchains-sharedcoin-users-can-identified-says-security-expert/

A few important points to note, though:

1) blockchain.info began its SharedCoin implementation (as announced to the public) November 17 of 2013,
2) the Kristov Atlas advisory detailing how a vulnerability could occur was released about it on June 9, 2014,
3) the coindesk article which further increased awareness of it was released on June 10, 2014.
4) the company (blockchain.info) never claimed the implementation would provide anonymity (it was offered as a privacy measure), but as part of the coindesk article, stated that "anyone with sufficient time, money, motivation and computing power could correlate transaction outputs and inputs"
5) Finally, let's assume someone is using a stealth send as described below,
https://github.com/spesmilo/electrum/pull/817
and also using the plugin described in this thread as shown below to do a mix which connects to blockchain.info
https://github.com/tkhaew/electrum/blob/mixer_plugin/plugins/mixer.py
then it would be safe to say that in such a case the logical thing to request would be exactly what the author of the plugin has already suggested:  a security audit.
(I've also suggested adding a readme for ease of use as per my prior comment.)
6) Finally it may be good to add in notes for the plugin that it is a privacy measure and not an anonymity measure by itself, but I suspect that there would be always some debate as to the wording no matter how it would be written.

Kristov Atlas has already demonstrated this past summer that the conjoin mixer operated by blockchain.info is compromised and no longer anonymous see http://www.coinjoinsudoku.com/advisory/

This is great, but if you get a moment, a readme would be good to add to help people manage getting this coinjoin (mixer) approach up and running ~ perhaps pop it into a distinct repository with its own readme, and a note that you are seeking security audit for it too, which may get it some more attention.

Don't mind at all.
It hasn't had a lot of testing. I've tried to make it safe with prompt info but users should be careful.

Also, it may need some attention regarding a security audit. It uses HTTPS to access the API but I wonder if a MITM is possible. In theory it should as safe as using the web site. One thing I can think of off hand is DNS poisoning on local net. Users should be aware that using anything that provides an address on a insecure network has potential to spoof them.

Have you considered making your build available native for Android? An easy to install Electrum wallet for Android phones with mixing built in would be very cool.

I confirm it's working fine for me under Windows (tested on XP SP3 & 7).
Screenshot:


I'm thinking about including it in my next builds, if you don't mind.
Nice job!

There's a firstbits address under you avatar .

I haven't tried that but I think it should work.

Thanks! But how or where tipped?

Will your plugin work with 1.9.5 portable version for Windows?

That's seriously cool, tipped.

I've updated the mixer to work independently of Electrum mainline now. As long as you have the latest version you can now simply drop the mixer.py file into your plugins folder and it will be available and can be enabled. It no longer needs a separate fork or Electrum version.

The standalone mixer plugin file is now:

https://github.com/tkhaew/electrum/blob/mixer_plugin/plugins/mixer.py

The default folder where this is can be dropped (on my Ubuntu system anyway) is:

/usr/local/lib/python2.7/dist-packages/Electrum-1.9.5-py2.7.egg/electrum_plugins/

( though the version number could be different )

I've created a mixer plugin for Electrum to support in-client use of the blockchain.info mixer. It's not quite standalone as Electrum doesn't really support dynamic loading plugins (which would be a nice thing to work on someday), but the changes to the main program are very minimal to hook it in, and the plugin itself is very simple.

It gives you two new features. A button to request a forwarding address when you send coins, with mixer fee estimate, and a right-click menu option for a forwarding address when showing a QR code for a receive address. These simply make an API call and present the address for the user to confirm.

This plugin will not be integrated into Electrum main line because the devs feel it maybe endangers the project by having a mixer associated with it. I feel it improves usability for those who want more privacy and may be a useful stop gap until the Dark Wallet guys finish up their work.

The plugin is available to anyone who wants to use it in a fork I created just for this purpose, in a branch called "mixer" based off the current master,

https://github.com/tkhaew/electrum/tree/mixer see below


Have a look if you're inclined and comments are welcome.