doc: Add 5 privacy recommendations in tor.md #22316

pull ghost wants to merge 1 commits into bitcoin:master from changing 1 files +37 −0
  1. ghost commented at 12:29 AM on June 23, 2021: none
    • Tor bridges
    • Disable listening for max privacy
    • Torsocks
    • onlynet=onion trade-offs
    • Deleting onion_v3_private_key is not one of the 'best practices'

    I have divided #21157 in 3 parts (Alternative to PR 21157):

    1. This PR for privacy recommendations
    2. DNS requests: #22317
    3. Will plan how to add examples in a better way later this week
  2. DrahtBot added the label Docs on Jun 23, 2021
  3. fanquake commented at 12:37 AM on June 23, 2021: member

    I have divided #21157 in 3 parts (Alternative to PR 21157):

    Why?

  4. ghost commented at 12:48 AM on June 23, 2021: none

    Why?

    1. It will be easier to review and get merged soon IMO if enough people agree on changes
    2. Earlier PR had a bigger scope with title as "Improve Tor docs", was difficult to add every suggestion and made no sense in keeping basic doc improvements pending for months.
    3. Few reviewers had issues with the "examples" part and "DNS requests" thing in previous PR. Keeping things separate and specific to one type of changes in a PR should help.
    4. Lot of comments in previous PR. It's difficult for anyone trying to review and read all the conversation however I don't want the contribution by everyone in the previous PR to be wasted so proposing a better alternative with changes in separate PRs.
  5. DrahtBot commented at 12:53 AM on June 23, 2021: member

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--174a7506f384e20aa4161008e828411d-->

    Conflicts

    No conflicts as of last run.

  6. jarolrod commented at 1:03 AM on June 23, 2021: member

    my opinion is don't split up #21157. Splitting up #21157 adds greater burden on reviewers and burden on you with required rebases.

    While #21157 has required a lot of review attention, I don't think that splitting it up will make it easier to merge. If there is discussion to be had and reviewers still have feedback, seems suboptimal to split up this discussion over three PR's which all have the same purpose: to improve the tor docs.

    If you have made the decision to split up #21157, then you should close it in favor of the three separate PR's.

  7. ghost commented at 1:19 AM on June 23, 2021: none

    three PR's which all have the same purpose: to improve the tor docs.

    'Improving docs' is a bigger scoping of PR which is not helping in any way. Changes to docs that are specific get merged or rejected soon.

    If you have made the decision to split up #21157, then you should close it in favor of the three separate PR's.

    Done

  8. Rspigler commented at 4:56 AM on June 23, 2021: contributor

    ACK commit b7d465aa6d14b46c96870930679d6d5cb0b3b6f0

    I think splitting the PR up how you have is beneficial (I had issues with the examples you added, but like this change and the DNS change in 22317).

  9. Rspigler commented at 5:01 AM on June 23, 2021: contributor

    Please tag when examples PR is added

  10. in doc/tor.md:245 in b7d465aa6d outdated 
     240 | +
 241 | +  **Sybil Attacks**
 242 | +
 243 | +  On the other hand, if you only make random Tor connections, you're much more vulnerable to Sybil attacks.
 244 | +  As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor
 245 | +  nodes and receive all of the outbound Tor connections an `onlynet=tor` node makes.
    kristapsk commented at 7:39 AM on June 23, 2021: 
      nodes and receive all of the outbound Tor connections an `onlynet=onion` node makes.
  11. kristapsk changes_requested
  12. in doc/tor.md:247 in b7d465aa6d outdated 
     242 | +
 243 | +  On the other hand, if you only make random Tor connections, you're much more vulnerable to Sybil attacks.
 244 | +  As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor
 245 | +  nodes and receive all of the outbound Tor connections an `onlynet=tor` node makes.
 246 | +
 247 | +  This is significantly less a concern with IPv4/IPv6 (especially with asmap) due to the cost of obtaining IPs in many
    jonatack commented at 8:33 AM on June 23, 2021: 
      This is significantly less a concern with IPv4/IPv6 (especially when using the -asmap configuration option) due to the cost of obtaining IPs in many
  13. in doc/tor.md:248 in b7d465aa6d outdated 
     243 | +  On the other hand, if you only make random Tor connections, you're much more vulnerable to Sybil attacks.
 244 | +  As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor
 245 | +  nodes and receive all of the outbound Tor connections an `onlynet=tor` node makes.
 246 | +
 247 | +  This is significantly less a concern with IPv4/IPv6 (especially with asmap) due to the cost of obtaining IPs in many
 248 | +  networks. It's also alleviated if you make `-addnode` connections to trusted peers (even if they're onion addresses).
    jonatack commented at 8:34 AM on June 23, 2021:

    I'd put -addnode before IPv4/6 as it's a concrete step that Tor users can take.

  14. RiccardoMasutti approved
  15. RiccardoMasutti commented at 11:16 AM on June 23, 2021: contributor

    ACK 2c18e7f

  16. lsilva01 approved
  18. Rspigler commented at 8:17 AM on June 25, 2021: contributor

    Good changes. ACK 2c18e7f6614d665f4eb9891f83391a5317e7d113 Apologies for missing the onlynet=onion/tor mistake

  19. ghost commented at 11:36 AM on June 25, 2021: none

    I think there is grammatical error but not sure:

    --- a/doc/tor.md
+++ b/doc/tor.md
@@ -245,7 +245,7 @@ for normal IPv4/IPv6 communication, use:
   As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor
   nodes and receive all of the outbound Tor connections an `onlynet=onion` node makes.

-  This is significantly less a concern with if you make `-addnode` connections to trusted peers
+  This is significantly less a concern if you make `-addnode` connections to trusted peers
   (even if they're onion addresses). It's also alleviated with IPv4/IPv6 (especially when using the -asmap
   configuration option) due to the cost of obtaining IPs in many networks.
  20. Rspigler commented at 10:08 PM on June 25, 2021: contributor

    Yes, that change should be made, thanks!

  21. in doc/tor.md:253 in 93eb7c9ea4 outdated 
     248 | +  This is significantly less a concern if you make `-addnode` connections to trusted peers
 249 | +  (even if they're onion addresses). It's also alleviated with IPv4/IPv6 (especially when using the -asmap
 250 | +  configuration option) due to the cost of obtaining IPs in many networks.
 251 | +
 252 | +  If all of your connections are controlled by a Sybil attacker, they can easily prevent you from seeing confirmed
 253 | +  transactions  and, with more difficulty, even trick your node into falsely reporting a transaction as confirmed
    Rspigler commented at 7:08 PM on June 28, 2021:

    double space between transactions and and

    unknown commented at 5:38 AM on June 30, 2021:

    Removed extra space in https://github.com/bitcoin/bitcoin/commit/45c1bfa90d70b334f5b5a025d785477980f239ee

  22. Rspigler commented at 7:10 PM on June 28, 2021: contributor

    tiny nit

  23. Add 5 privacy recommendations
    - Tor bridges
- Disable listening for max privacy
- Torsocks
- `onlynet=onion` trade-offs
- Deleting `onion_v3_private_key` not best practice
    45c1bfa90d
  24. in doc/tor.md:231 in 45c1bfa90d 
     222 | @@ -223,3 +223,40 @@ for normal IPv4/IPv6 communication, use:
 223 |    Otherwise it is trivial to link them, which may reduce privacy. Onion
 224 |    services created automatically (as in section 2) always have only one port
 225 |    open.
 226 | +
 227 | +- In some regions of the world the Tor network is monitored or blocked.
 228 | +  If you are in an environment that does not permit direct Tor connections or the use
 229 | +  of Tor bridges, then considering the trade-offs, it may not be safe to use Tor.
 230 | +
 231 | +- For maximum privacy, it is preferable to disable accepting incoming connections.
    luke-jr commented at 5:55 AM on June 30, 2021:

    This seems like bad advice. Incoming connections should be encouraged, and any potential privacy risks addressed.

    unknown commented at 6:17 AM on June 30, 2021:

    Bitcoin Core behind a tor proxy with no incoming connections is better for privacy in comparison to listening over Tor IMO. It was suggested by @gmaxwell and reviewers(Sipa and Jonatack) in previous PR had no issues with it:

    #17491 (comment) #21157 (review)

    luke-jr commented at 2:24 PM on June 30, 2021:

    Both of these appear to be talking about security, not privacy. And not as general advice, but as super-paranoia.

    unknown commented at 2:51 PM on June 30, 2021:

    This comment by Sipa specifically mentioned privacy: #21157 (review)

    Rspigler commented at 8:01 PM on June 30, 2021:

    re: not encouraging this setting; I think the section on Sybil Attacks and Network Partitioning covers that, right?

    jonatack commented at 8:14 PM on June 30, 2021:

    I think many users will read this and go "oh good, I want maximal privacy, so I'll disable listening." IMO the statement as it is, and placed where it is, lacks nuance and context. Privacy is a slippery and multifaceted thing with a number of tradeoffs; I'm not sure that discussion should be in this doc, but it probably should be if advice like this is given in the repository, as any such advice here might be seen as a reference.

    jonatack commented at 8:18 PM on June 30, 2021:

    Also, some of the thoughts here may also pertain to other privacy networks, e.g. I2P and perhaps others at some point like CJDNS. Should there be privacy recommendations in each doc, or rather in one place (doc/privacy.md?) that interrelates between the networks.

    unknown commented at 12:24 AM on July 1, 2021:

    IMO the statement as it is, and placed where it is, lacks nuance and context

    Agree

    I'm not sure that discussion should be in this doc

    1. This doc had a section for privacy recommendations
    2. I am trying to share few things that I learnt during different conversations about privacy, relevant to this doc and can help others

    as any such advice here might be seen as a reference

    They should be used as reference. I had two options when I started researching about these things:

    1. Share my thoughts and discuss on social media about it. Few people will read it and forget it.
    2. Create a pull request with basic things that can be added, discuss with PR reviewers and help more users know about it in a better way.

    I think 2 works better.

    Example: Deleting onion_private_key is mentioned on multiple websites: Bitcoin Wiki, Bisq Wiki etc. Editing every wiki, commenting on each social media post, etc. will take lot of time and people will still believe what they read in docs and not me.

    Should there be privacy recommendations in each doc, or rather in one place (doc/privacy.md?) that interrelates between the networks.

    I think i2p and Tor have few similarities and differences. It's better we have separate docs and maintain privacy recommendations separately but have no issues with doc/privacy.md suggestion. I have added few things in a different repository used by lot of people to learn Bitcoin from command line:

    Differences: https://github.com/BlockchainCommons/Learning-Bitcoin-from-the-Command-Line/blob/master/15_0_Using_i2p.md

    Trade-offs: https://github.com/BlockchainCommons/Learning-Bitcoin-from-the-Command-Line/blob/master/15_1_i2p_service.md

  25. in doc/tor.md:240 in 45c1bfa90d 
     235 | +
 236 | +- Trade-offs involved in using `onlynet=onion`:
 237 | +
 238 | +  The `onlynet=onion` configuration option can potentially ensure the node attempts to only
 239 | +  connect over Tor. It is more private when you combine it with no reachable IPv4/IPv6 address,
 240 | +  in particular if you want to broadcast transactions without them being correlatable with your IP.
    luke-jr commented at 5:57 AM on June 30, 2021:

    This is bad advice. Tor is a centralised network, and using it as your only network puts the user at risk for no benefit. It isn't more private, as it doesn't do anything to stop the "cookies" (UTXO/address relationships) Bitcoin wallets need to work.

    unknown commented at 6:17 AM on June 30, 2021:

    I think 'more private' here is a comparison between onlynet=onion and onlynet=onion + bind=onion. This was suggested by @sipa in #21157 (review)

    jonatack commented at 6:33 AM on June 30, 2021:

    I relate to Luke's feedback and am a bit uncomfortable with the lines of advice he points out; maybe they could use more nuance and context. Otherwise, they seem likely to be misinterpreted or followed somewhat blindly.

    unknown commented at 12:30 AM on July 1, 2021:

    maybe they could use more nuance and context

    Agree

  26. luke-jr changes_requested
  27. ghost commented at 7:50 PM on July 12, 2021: none

    @jonatack @luke-jr write your own recommendations when you feel like that everyone agree to

  28. unknown closed this on Jul 12, 2021
  29. achow101 referenced this in commit 869c6e23c5 on Jan 18, 2022
  30. sidhujag referenced this in commit f0028afd3e on Jan 18, 2022
  31. DrahtBot locked this on Aug 16, 2022
Contributors
ghostfanquakeDrahtBotjarolrodRspiglerkristapskjonatackRiccardoMasuttilsilva01luke-jr
Labels
Docs
Linked (view graph)
#21157 doc: Improve Tor docs#22317 doc: Highlight DNS requests part in tor.md#25884 doc: Tor Only Sybil Warnings
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 18:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me