Published on: 2015-08-19T18:51:11+00:00
In August 2015, concerns were raised about Bitcoin XT's privacy issue with its automatic Tor exit node list download. The code would still download the Tor exit node list, revealing the true location of the node, if the operator neglected to explicitly set -listen=0. Peter Todd noted that this was a feature of the software and not a bug. Gregory Maxwell removed the last "call home" feature in pull-req #5161 to address this issue, replacing previous calls to getmyip.com-type services with a local peer request. The DNS seeds were also modified to avoid leaking IP address information.Despite the privacy problem, Peter Todd acknowledged that Bitcoin XT was an improvement over the first implementation as it did not completely block the node once it filled up for the first time. However, he criticized Mike Hearn for making changes in the master code that did not correspond to peer-reviewed pull-req code.A user on the Bitcoin development mailing list pointed out that Bitcoin XT had a privacy issue with its automatic Tor exit node list download. The code would still download the Tor exit node list, revealing the true location of the node, if certain conditions were met. Gregory Maxwell made changes to address this issue, but there were concerns about the lack of clarity in describing the blacklisting feature and its default enabling. The anti-DoS measures were deemed ineffective, as connections were still made over clearnet, leaking the node's real location. Denial of service attacks could also be used to crash interesting nodes and force them to restart, making new requests to the blacklist endpoint via the clearnet. Requests to the blacklisting URL also used a custom Bitcoin XT user agent, making users distinct from other internet traffic.Another message on the Bitcoin-dev mailing list highlighted the privacy implications of Bitcoin XT's blacklisting feature, which periodically downloaded lists of Tor IP addresses. Enabled by default with a switch name that downplayed its function, this feature raised concerns about user privacy. The anti-DoS measures were easily bypassed, offering no protection. Connections were made over clearnet even when using a proxy or onlynet=tor, revealing the node's real location. Denial of service attacks could crash interesting nodes and force them to restart, making new requests to the blacklist endpoint. Requests to the blacklisting URL also used a custom Bitcoin XT user agent, distinguishing users from other internet traffic.In summary, Bitcoin XT had a privacy issue with its automatic Tor exit node list download, revealing the true location of the node under certain conditions. Changes were made to address this issue, but concerns were raised about the lack of clarity in describing the blacklisting feature and its default enabling. The anti-DoS measures were deemed ineffective, as connections were still made over clearnet, leaking the node's real location. Denial of service attacks could also be used to crash interesting nodes and force them to restart, making new requests to the blacklist endpoint. Requests to the blacklisting URL also used a custom Bitcoin XT user agent, making users distinct from other internet traffic.
Updated on: 2023-08-01T15:30:26.592098+00:00