Post by Peter Todd via bitcoin-dev
BIP151 gives users the tools to detect a MITM attack.
It's kinda like PGP in that way: lots of PGP users don't properly check keys,

Post by Peter Todd via bitcoin-dev
so an attacker won't have a hard time MITM attacking those users. But some
users do check keys, a labor intensive manual process, but not a process that
requires any real cryptographic sophistication, let alone writing any code.
It's very difficult for widescale attackers to distinguish the users who do
check keys from the ones that don't, so if you MITM attack _any_ user you run
the risk of running into one of the few that does check, and those users can
alert everyone else.
The key thing, is we need to get everyones communications encrypted first: if
we don't the MITM attacker can intercept 99% of the communications with 0% risk
of detection, because the non-sophisticated users are trivially distinguishable from the sophisticated users: just find the users with unencrypted
communications!
--

Post by Jonas Schnelli via bitcoin-dev
BIP151 would increase the risks for MITM attackers.
What are the benefits for Mallory of he can't be sure Alice and Bob may
know that he is intercepting the channel?

Post by Jonas Schnelli via bitcoin-dev
MITM is possible today, it would still be possible (though under higher
costs) with BIP151.
With BIP151 we would have the basic tool-set to effectively reduce the
risks of being MITMled.
IMO we should focus on the risks and benefits of BIP151 and not drag
this discussion into the realm of authentication. This can and should be
done once we have proposals for authentication (and I'm sure this will
be a heated debate).
The only valid risk I have on my list from you, Eric, is the false sense
of security.
My countermeasure for that would be...
- deploy BIP151 together with the simplest form of authentication
(know_hosts / authorized_keys file, no TOFU only editable "by hand")
- make it more clear (in the BIP151 MOTIVATION text) that it won't solve
the privacy/MITM problem without additional authentication.
Or could you elaborate again – without stepping into the realm of
authentication/MITM (which is not part of the BIP or possible already
today) – why BIP151 would make things worse?
</jonas>

Post by Eric Voskuil via bitcoin-dev
The proliferation of node identity is my primary concern - this relates to privacy and the security of the network.

Post by Eric Voskuil via bitcoin-dev
Secondarily I am concerned about users operating under a false assumption about the strength of privacy.

Post by Eric Voskuil via bitcoin-dev
The complexity of the proposed construction is comparable to that of Bitcoin itself.

Post by Eric Voskuil via bitcoin-dev
wallets as its justifying scenario.
sounds like the bip text should make the
The Bitcoin network does not encrypt communication between peers today.
This opens up security issues (eg: traffic manipulation by others) and
allows for mass surveillance / analysis of bitcoin users. Mostly this is
negligible because of the nature of Bitcoins trust model, however for SPV
nodes this can have significant privacy impacts [1] and could reduce the
censorship-resistance of a peer."
This is not an example, this is the exception that is described as
"significant" in comparison to the other issues, which are described as
"negligible".
The Bloom filters messages are of course the unique aspects of the
protocol as it pertains to "SPV".
The RISKS section declares that the BIP cannot prevent MITM attacks and
that "identity authentication" will be defined in a forthcoming BIP.
The obvious implication (accepted by the author) is that authentication is
required to prevent a MITM attack, and furthermore establishment of
identity will be required to ensure that the authenticated party is not a
bad actor.
for the transactions they originate within the protocol against network
observers.
observing the network.
low cost.
This is a straw man, as the BIP does not state that its objective is to
moderately raise the cost of passive attack against large numbers of users.
It is also a red herring, as passivity is not itself a benefit. It implies
that the attack is easier and therefore less costly. But a trivial active
attack may be a larger security problem than a complex passive attack.
Attacks against privacy under this BIP (and with authentication) can be
carried out by passively monitoring traffic and operating one or more
nodes. Operating a node may be considered "active" because the node
communicates, but technically it is not. In either case the activeness
itself hardly raises the difficulty, especially for a global (thousands of
users) passive attacker.
Depending on the attacker, cost may not be an issue at all, so raising it
can have zero effect. Certainly we are not talking about prohibitive
(cryptographically hard) cost. Raising the cost *any* amount is not likely
a reasonable cost-benefit tradeoff.
Privacy attacks would remain entirely undetectable under this proposal,
and under any additional proposal that required authentication in the
absence of identity. Only with all users of the network identified as
"good" would such proposals be effective. Until that point any bad actors
can become an integral part of the network. I will investigate the question
of identity in a follow-up to an independent post.
attack to determine what the node has sent.
It cannot be both impossible ("not against Bitcoin Core") and limited in
effectiveness ("obviously there are limits").
We should be clear at this point that the transaction-posting security
provided against a privacy attack, based on the assumption of "good"
(identified) peers in the first few hops, derives entirely from the ability
of the good peers to break the timing attack, which is itself "limited".
This is a compound pair of weak assumptions, that to be made stronger will
require widespread use of identity (not just authentication).
The proliferation of node identity is my primary concern - this relates to
privacy and the security of the network. Secondarily I am concerned about
users operating under a false assumption about the strength of privacy.
Thirdly I am concerned about the risk of vulnerability introduced by the
integration into the P2P network layer of an totally new network security
scheme. Fourthly I'm concerned about the cost of the above based on the
belief that the benefit may not be material and that it may lead to
increased centralization.
encrypted, unencrypted later hops would rapidly
network.
authenticated, and all participants are known to be good guys. Starting to
sound like PKI?
Described as "limited" in effectiveness, and clearly useful only if these
hops are not attacker nodes.
So back to my comment on how we maintain a pool of "good" nodes for people
to connect to, and raising the question of how effective is this strategy
(which is itself unspecified and so cannot be assumed to even exist in the
context of the BIP).
provide protection against partitioning sybils.
fact retaining the other links enables the attack you described above. Of
course there is no need to worry about Sybil attacks when all of your peers
are authenticated. But again, let us not ignore the problems of requiring
all peers on the network be authenticated.
vulnerability-- so long as an active network attacker isn't
Don't want them as peers for the purpose of tx relay. As I said this,
"enables the attack you described above."
This whitelisting is simply a stand-in for a more formal identity system.
One doesn't whitelist anonymous peers, one whitelists peers controlled by
trusted parties. Preferring trusted peers is another aspect of trying to
break the timing attack. So I would lump this under the same analysis as
above (batching).
that the BIP is not effective without it. I did not mean to imply that the
BIP itself implements an identity scheme. I thought this was clear from the
context.
all_unless users have secure communication channels to share addresses.
This is true but not relevant. The parties with whom we transact are not
in the same space as the nodes with which we connect. The fact that I am
face-to-face with a counterparty does not help me find a "good" node, nor
does my ability to PGP email a payment address or to send a stealth address
in the clear.
But the fact that you raise this point is itself instructive. The solution
that was devised to resolve the problem of verifying that a counterparty is
who one thinks it is ended up being based on the use of certificate
authorities - despite the fact the the BIP did not require this. Some
people consider this extremely dangerous for Bitcoin, enough so that Peter
Todd recently proposed scrapping the BIP.
It's not clear to me how the Bitcoin community intends to establish what
nodes are good nodes. But one thing is certain, any anonymous node may be
an undetectable attacker.
nodes will necessarily have to connect with anonymous peers.
partition resistance requires that you have any one good link.
As a minimum requirement, it implies that only need only to connect to one
or more "good" peers. Anonymous peers are gravy for partition resistance,
yet they are potential attackers for tx tainting. In other words the
logical topology is to only connect to good peers. That is a problem.
very effective.
See above commentary on the irrelevance of this distinction.
concern I have raised.
I don't get your point here. It seems like you are just trying to antagonize.
At this point I think it's fair for me to say that nobody needs your permission.
Have you ever debated an optional feature proposal?
e
_______________________________________________
bitcoin-dev mailing list
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

Post by Arthur Chen via bitcoin-dev
I strongly agree!
In crypto we should always follow well-studied open standard rather than
custom construction.
On Fri, Jul 1, 2016 at 10:42 PM, Zooko Wilcox via bitcoin-dev <
--
Xuesong (Arthur) Chen
Senior Principle Engineer
BlockChain Technologist
BTCC