Author

Topic: Petition for web wallets and exchanges to have official Tor hidden services (Read 1009 times)

sr. member
Activity: 448
Merit: 250
Bitcoin over Tor isn't a good idea:

http://arxiv.org/pdf/1410.6079v1.pdf
This only discusses running a full node over tor, while the OP is advocating being able to connect to various exchanges without the risk of MITM attacks via tor. Assuming the exchanges would want to allow tor traffic, this is a very good idea as it is much more safe for both the user and the exchange 
donator
Activity: 1617
Merit: 1012
Bitcoin over Tor isn't a good idea:

http://arxiv.org/pdf/1410.6079v1.pdf

That paper is unrelated to what I'm talking about.

There is a parallel analogy which is running a Bitcoin node as a TOR hidden service. Doing so would bypass the security concerns mentioned in the paper.
hero member
Activity: 793
Merit: 1026
Bitcoin over Tor isn't a good idea:

http://arxiv.org/pdf/1410.6079v1.pdf

That paper is unrelated to what I'm talking about.
sr. member
Activity: 366
Merit: 250
I agree, this is especially true with blockchain.info as there is apparently at least one exit node that is using a MITM attack against blockchain.info users and has stolen 100+ BTC so far.

*I would only agree to the extent that it makes sense for such services to accept traffic via tor, as there is very little reason for some exchanges to do so, as it is only inviting other kinds of attacks
full member
Activity: 139
Merit: 100
hero member
Activity: 793
Merit: 1026
There's a new trend of Tor exit nodes MITMing bitcoin sites, and even using self-signed certs, which fool users who don't know better into thinking that they are now "safe" because they have an https connection.

I propose that web wallets and exchanges officially publish hidden services.  Because the service is listed on your site and otherwise verified to be yours, users will know that it's the correct site.  Because it's a hidden service, exit nodes can't fuck over users.

It's a win-win.  The exchanges can still have full AML/KYC/whatever other privacy invading things they need, because they know who the users are when the users log in.  And the users can be confident it's the right site because you the site have widely publicized the correct official hidden service URL.

To their detriment, many Bitcoin users are simply not tech-savvy enough to use Bitcoin safely.  To attempt to mitigate their incompetence, they often hold their funds with websites they trust.  They also attempt to use privacy software that is uncomplicated enough that they can figure out how to make it work.... Like the Tor Browser Bundle or the TAILS live OS.  So when they are on an unsecured wifi or using another computer and they are scared about their bitcoins being hacked, they turn to such things in the hopes and expectations that they will help protect them.

These users may not fully understand the limitations of these tools-- what they can do, what they can NOT do, and where the potential risks and threats may be.

Having common Bitcoin sites have official Tor hidden services protects users.  It's a very obvious step that needs to be done in order to increase user security, at no extra cost to anybody.

It's frankly shameful that more sites haven't done it already.  (And kudos to those that have.)
Jump to: