Author

Topic: TOR and I2P (Read 22951 times)

full member
Activity: 132
Merit: 101
May 14, 2010, 05:02:53 PM
#13
I feel obligated to post this in this thread to.
Using Bitcoin over Tor might be dangerous. (It doesn't have to though!)

Say I am an exit node listening for bitcoin transactions and grab them?
Or is everything public/private key encrypted?
Actually no, transfering coins via IP address isn't encrypted. When you transfer coins to an IP, the recipient creates a new address just for that transaction and tells you to transfer coins to that address. A malicious exit node could sniff all Bitcoin traffic and intercept those transactions easily.

So for everyone: DO NOT USE IP ADDRESSES AS DESTINATIONS, ALWAYS USE BITCOIN ADDRESSES.

Here is the message: https://bitcointalksearch.org/topic/for-a-website-taking-payments-with-bitcoins-better-ip-or-bitcoin-addresses-129
newbie
Activity: 21
Merit: 0
April 28, 2010, 04:09:01 AM
#12
There isn't an easy way to specify what to bind to.

Modify the source code, re-compile it. Tongue

Or just use a firewall. That's even easier.


I'm trying to set up a hidden service on tor, and I've copied the following into my torrc:

HiddenServiceDir /some/directory
HiddenServicePort 8333 127.0.0.1:8333

but now I'd like to make bitcoin bind only to 127.0.0.1:8333 whereas "netstat -lp" shows that it is listening on all interfaces. I haven't easily found how to specify this.

suggestions?
sr. member
Activity: 440
Merit: 250
April 27, 2010, 04:38:27 AM
#11
Any answers to how to make bitcoin bind only to localhost:8333?  Also, how can I make bitcoin broadcast the torland address instead of the external IP?
sr. member
Activity: 440
Merit: 250
April 20, 2010, 09:26:29 AM
#10
I'm trying to set up a hidden service on tor, and I've copied the following into my torrc:

HiddenServiceDir /some/directory
HiddenServicePort 8333 127.0.0.1:8333

but now I'd like to make bitcoin bind only to 127.0.0.1:8333 whereas "netstat -lp" shows that it is listening on all interfaces. I haven't easily found how to specify this.

suggestions?
riX
sr. member
Activity: 326
Merit: 254
February 04, 2010, 07:41:27 AM
#9
Maybe you could mirror the nodelist from the IRC-server over http or ftp if the load's not too high.
founder
Activity: 364
Merit: 7248
February 03, 2010, 07:30:50 PM
#8
When using proxy port 9050, it will only make one attempt to connect to IRC, then give up, since it knows it will probably always fail because IRC servers ban all the TOR exit nodes.  If you're using another port, it would assume it might be a regular old normal proxy and would keep retrying IRC at longer and longer intervals.  You should not use Polipo or Privoxy as those are http filters and caches that would corrupt Bitcoin's messages if they make any changes.  Bitcoin might be trying to overcome it by reconnecting.  You should use port 9050.

As riX says, the "is giving Tor only an IP address. Apps that do DNS..." warnings are nothing to worry about.  Bitcoin doesn't use DNS at all in proxy mode.

Since Bitcoin can't get through to IRC through Tor, it doesn't know which nodes are currently online, so it has to try all the recently seen nodes.  It tries to conserve connection attempts as much as possible, but also people want it to connect quickly when they start it up and reconnect quickly if disconnected.  It uses an algorithm where it tries an IP less and less frequently the longer ago it was successful connected.  For example, for a node it saw 24 hours ago, it would wait 5 hours between connection attempts.  Once it has at least 2 connections, it won't try anything over a week old, and 5 connections it won't try anything over 24 hours old.
legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
February 03, 2010, 10:31:33 AM
#7
OK thanks riX.

So, once Bitcoin has connected to at least one node then the -connect option will eliminate the 6667 warnings.

Is Bitcoin using any kind of 'peer exchange' or DHT because this still does not seem to prevent the constant Tor 'exit' warnings and therefore Tor's requirement to try a new 'exit' node for connection. (which is problematic ! For Tor anyway, not Bitcoin Wink ) This is really what I meant by "However, Bitcoin must try to connect with all nodes to check its not missing any blocks ?" I just communicated it incorrectly.

I2P would seem to be a much easier solution to implement to increase a Bitcoins users anonymity.
http://forum.i2p2.de/viewtopic.php?t=3946&sid=213e3cd998db98c4511675ecbba17af4

I'm also testing JonDonym http://anonymous-proxy-servers.net/ (only the paid services support socks !) However, they do accept paysafecards which can currently be brought in exchange for Bitcoins. Grin
riX
sr. member
Activity: 326
Merit: 254
February 02, 2010, 05:36:56 PM
#6
"Your application (using socks5 on port xxxx) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider
using Socks4A (e.g. via polipo or socat) instead."
Bitcoin is using ip-adresses, not hostnames, so there's no need for dns. Tor thinks that since bitcoin is trying to connect to an ip without looking it up through tors internal dns, it's using a regular dns.


However, I still get occasional warnings for these ports 8333 (expected Bitcoin 'default') and 6667 (which if i'm not mistaken is an IRC port !?)
Bitcoin is using port 8333, even though it's relaying it through tor on port 9050..  Tongue
6667 is irc, bitcoin uses an irc-server to distribute the nodelist. (If you know the ip of another computer running bitcoin, you can specify the -connect option to avoid using the nodelist).


However, Bitcoin must try to connect with all nodes to check its not missing any blocks !
No, it's enough if you're just connected to one single node, as long as it's got a copy of the longest block-chain.
legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
February 01, 2010, 05:08:54 PM
#5
OK So, I tried to set-up a sudo-anonymous crypto 'Bitcoin Bank' experiment using Tor. Grin

Whilst it was mostly successful using the standard 9050 socks port 'default setup' i.e. I got connectivity to other Bitcoin nodes through Tor; I did encounter various issues and multiple Warning messages.

"Your application (using socks5 on port xxxx) is giving Tor only an IP address. Applications that do DNS resolves themselves may leak information. Consider
using Socks4A (e.g. via polipo or socat) instead."

https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry.3F

I eventually fixed this using Privoxy and Stunnel (because i'm more familiar with those) However, you could use polipo and Stunnel.

However, I still get occasional warnings for these ports 8333 (expected Bitcoin 'default') and 6667 (which if i'm not mistaken is an IRC port !?)

Connecting Bitcoin through Tor also makes Tor repeatedly change exit nodes looking to establish 'missing' connections to a [scrubbed] address. At first I assumed that this was because Tor exits might be blocking port 8333 or 6667, but that is mostly not the case !

Other P2P applications through Tor can 'ignore' IP addresses that they cannot connect to and the application can still get the job done without 'warning'. However, Bitcoin must try to connect with all nodes to check its not missing any blocks ! So, if an IP range where only 1 Bitcoin node is running is blocking Tor exit nodes, then presumably this will always be the case ?

This is problematic for many reasons. Huh
legendary
Activity: 2646
Merit: 1722
https://youtu.be/DsAVx0u9Cw4 ... Dr. WHO < KLF
February 01, 2010, 04:36:47 PM
#4
I also run a Tor relay and exit node and had similar ideas for Tor integration with Bitcoin.

Tor can be very fast if you edit your config correctly. You just need to limit the connectivity with slow servers and only use the fastest nodes where possible. I also like to block any nodes in 'problem' internet countries, which also tend to have slower connectivity, this also increases overall privacy somewhat. I also block Unnamed, ididnteditheconfig, any servers that I don't like the name of and unstable servers.

This config. example is only good for non-relay / non-exit personal use. Although its great for P2P Smiley

AvoidDiskWrites 1

ExcludeNodes SlowServer,{sd},{pk},{tn},{ae},{by},{in},{bh},{th},{ye},{mm},{eg},{sg},{ma},{cu},{qa},{sa},{by},{md},{tm},{tr},{et},{jo},{sy},{om},{ir},{az},{uz},{kz},{kg},{af},{cn},{bd},{vn},{ng},{gh},{ro},{lb},{ru},{iq},{ly},{ve},{zw},{my},{mo},{kr},unnamed,ididnteditheconfig ...etc.

StrictEntryNodes 1

EntryNodes (Select Fast Entry and Authority Servers from http://trunk.torstatus.kgprog.com/index.php?Fast=0 )

StrictExitNodes 1

ExitNodes (Select Fast Exit Only from http://trunk.torstatus.kgprog.com/index.php?Fast=0 )

It's also a good idea to alter the time which Tor takes to automatically switch circuits and some other custom settings https://www.torproject.org/tor-manual.html

Hope this helps Wink
hero member
Activity: 490
Merit: 511
My avatar pic says it all
January 24, 2010, 03:52:59 PM
#3
Yeah, I2P is much easier to automate in that regard. I could setup some .onions manually and post them to the list to be used as seeds. I have always-on nodes that can just be tied to Tor with minimal effort.

I used to be a big advocate of Tor, but after I started using I2P I found it to be much, much better in a lot of ways. Biggest improvement is speed. Wink  Too bad they wrote it in Java.

I've been thinking about that for a while.  I want to add the backend support for .onion addresses and connecting to them, then go from there.

There aren't many .onion addresses in use for anything because the user has to go through a number of steps to create one.  Configure TOR to generate a .onion address, restart TOR, configure it with the generated address.  Perhaps this is intentional to keep TOR so it can't be integrated into file sharing programs in any sufficiently automated way.

founder
Activity: 364
Merit: 7248
January 20, 2010, 05:05:28 PM
#2
I've been thinking about that for a while.  I want to add the backend support for .onion addresses and connecting to them, then go from there.

There aren't many .onion addresses in use for anything because the user has to go through a number of steps to create one.  Configure TOR to generate a .onion address, restart TOR, configure it with the generated address.  Perhaps this is intentional to keep TOR so it can't be integrated into file sharing programs in any sufficiently automated way.
hero member
Activity: 490
Merit: 511
My avatar pic says it all
January 16, 2010, 06:22:55 PM
#1
Hello,

I have had another idea. Tongue

It would be very cool to be able to have TOR and I2P seeds. For example: I could run BT within TOR-land on a .onion address. A client could connect their BT to TOR and have it seed from a .onion address and use it as a connected peer. (Likewise for I2P: someone could run a .i2p service that is -- well -- BC).

I might setup a couple of nodes in this fashion and post the tunnels on this forum. I already run a lot of I2P and TOR nodes so adding BC to the mix is quite trivial.

I support the idea of making BC compatible with TOR and I2P to increase the privacy of the system. I mean: why re-invent the wheel? There are thousands of mix network nodes just sitting there that can be used to enhance BC. Cheesy

Cheers!

Jump to: