Topic: Petition for web wallets and exchanges to have official Tor hidden services (Read 988 times)
November 06, 2014, 01:36:14 AM
This only discusses running a full node over tor, while the OP is advocating being able to connect to various exchanges without the risk of MITM attacks via tor. Assuming the exchanges would want to allow tor traffic, this is a very good idea as it is much more safe for both the user and the exchange
November 06, 2014, 01:05:40 AM
That paper is unrelated to what I'm talking about.
There is a parallel analogy which is running a Bitcoin node as a TOR hidden service. Doing so would bypass the security concerns mentioned in the paper.
November 05, 2014, 11:42:39 PM
That paper is unrelated to what I'm talking about.
November 05, 2014, 10:42:25 PM
I agree, this is especially true with blockchain.info as there is apparently at least one exit node that is using a MITM attack against blockchain.info users and has stolen 100+ BTC so far.
*I would only agree to the extent that it makes sense for such services to accept traffic via tor, as there is very little reason for some exchanges to do so, as it is only inviting other kinds of attacks
*I would only agree to the extent that it makes sense for such services to accept traffic via tor, as there is very little reason for some exchanges to do so, as it is only inviting other kinds of attacks
November 05, 2014, 03:46:47 PM
November 05, 2014, 08:18:11 AM
There's a new trend of Tor exit nodes MITMing bitcoin sites, and even using self-signed certs, which fool users who don't know better into thinking that they are now "safe" because they have an https connection.
I propose that web wallets and exchanges officially publish hidden services. Because the service is listed on your site and otherwise verified to be yours, users will know that it's the correct site. Because it's a hidden service, exit nodes can't fuck over users.
It's a win-win. The exchanges can still have full AML/KYC/whatever other privacy invading things they need, because they know who the users are when the users log in. And the users can be confident it's the right site because you the site have widely publicized the correct official hidden service URL.
To their detriment, many Bitcoin users are simply not tech-savvy enough to use Bitcoin safely. To attempt to mitigate their incompetence, they often hold their funds with websites they trust. They also attempt to use privacy software that is uncomplicated enough that they can figure out how to make it work.... Like the Tor Browser Bundle or the TAILS live OS. So when they are on an unsecured wifi or using another computer and they are scared about their bitcoins being hacked, they turn to such things in the hopes and expectations that they will help protect them.
These users may not fully understand the limitations of these tools-- what they can do, what they can NOT do, and where the potential risks and threats may be.
Having common Bitcoin sites have official Tor hidden services protects users. It's a very obvious step that needs to be done in order to increase user security, at no extra cost to anybody.
It's frankly shameful that more sites haven't done it already. (And kudos to those that have.)
I propose that web wallets and exchanges officially publish hidden services. Because the service is listed on your site and otherwise verified to be yours, users will know that it's the correct site. Because it's a hidden service, exit nodes can't fuck over users.
It's a win-win. The exchanges can still have full AML/KYC/whatever other privacy invading things they need, because they know who the users are when the users log in. And the users can be confident it's the right site because you the site have widely publicized the correct official hidden service URL.
To their detriment, many Bitcoin users are simply not tech-savvy enough to use Bitcoin safely. To attempt to mitigate their incompetence, they often hold their funds with websites they trust. They also attempt to use privacy software that is uncomplicated enough that they can figure out how to make it work.... Like the Tor Browser Bundle or the TAILS live OS. So when they are on an unsecured wifi or using another computer and they are scared about their bitcoins being hacked, they turn to such things in the hopes and expectations that they will help protect them.
These users may not fully understand the limitations of these tools-- what they can do, what they can NOT do, and where the potential risks and threats may be.
Having common Bitcoin sites have official Tor hidden services protects users. It's a very obvious step that needs to be done in order to increase user security, at no extra cost to anybody.
It's frankly shameful that more sites haven't done it already. (And kudos to those that have.)
Jump to: