Philipp Winter
Paper reviews

Bitcoin over Tor isn't a good idea

This paper claims that Bitcoin and Tor don't play well together, which leads to a number of weaknesses that limit, or even eliminate, the anonymity provided by Tor. In particular, a moderate-resource attacker is able to:

  1. See and control all Bitcoin traffic that is routed over Tor.
  2. Set a cookie on clients that can be used to link transactions.

An attacker can control all Tor-enabled Bitcoin traffic by setting up an exit relay and getting all other exit relays blacklisted by Bitcoin servers by making their anti-DoS feature kick in. That's done by sending malformed packets over all exit relays not controlled by the attacker. An attacker can also set up a bunch of Bitcoin server Sybils to further increase the scope of the attack.

The fingerprinting attack works by setting an "address cookie" on a given client using Bitcoin's ADDR and GETADDR peer discovery commands. These address cookies are basically bogus IP addresses that can later be recognised by the attacker. That way, an attacker can link Tor-enabled transactions to not-Tor-enabled transactions, thus deanonymising a Bitcoin client. Tor-enabled transactions can be linked together as well.

The authors write "We implemented this part of the attack: while the Tor consensus indicated that our relays allowed exiting on ports 80, 443, and 8333 for any IP address, the real exit policy of our relays was accepting port 8333 for a couple of IP addresses." This is not very nice because it harmed the Tor network. Clients that selected their exit relays for port 80 and 443 had their connections time out, which contributes to the belief that Tor is slow.

While the attacks seem practical, they aren't for free. An attacker needs several machines and IP addresses (for Bitcoin and Tor servers), some computational power (to brute-force public keys in order to manipulate Tor's DHT), as well as non-trivial bandwidth. The authors claim that the attacks require resources worth several thousand dollars a month.

Overall, all of this seems to be another example of a known problem: Programs that aren't designed to be used over Tor, in this case Bitcoin, wrongly treat the network as magical anonymity box. The same is true for BitTorrent. It takes a lot of work to make a protocol or an application play well with Tor. We can see this in Tor Browser, whose developers spend a lot of time defending against Web-based deanonymisation threats.


Last updated: 2015-07-14