doc: Tor Only Sybil Warnings #25884

pull Rspigler wants to merge 1 commits into bitcoin:master from Rspigler:tor_docs changing 1 files +14 −1
  1. Rspigler commented at 3:33 AM on August 20, 2022: contributor

    Tor doc changes re: sybil and network partitioning #22316

  2. in doc/tor.md:223 in 3486996f71 outdated 
     220 | +## 4. Security recommendations
 221 |  
 222 | -- Do not add anything but Bitcoin Core ports to the onion service created in section 3.
 223 | +Do not add anything but Bitcoin Core ports to the onion service created in section 3.
 224 |    If you run a web service too, create a new onion service for that.
 225 |    Otherwise it is trivial to link them, which may reduce privacy. Onion
    vasild commented at 4:52 AM on August 20, 2022:

    That text is strictly about privacy, not security. Better leave the heading as ## 4. Privacy recommendations and add new one 5. for security

  3. in doc/tor.md:227 in 3486996f71 outdated 
     224 |    If you run a web service too, create a new onion service for that.
 225 |    Otherwise it is trivial to link them, which may reduce privacy. Onion
 226 |    services created automatically (as in section 2) always have only one port
 227 |    open.
 228 | +  
 229 | +**Sybil Attacks**
    vasild commented at 4:53 AM on August 20, 2022:

    Here:

    ## 5. Security considerations

### Sybil Attacks ###
  4. in doc/tor.md:229 in 3486996f71 outdated 
     226 |    services created automatically (as in section 2) always have only one port
 227 |    open.
 228 | +  
 229 | +**Sybil Attacks**
 230 | +
 231 | +  If you only make random Tor connections, you're much more vulnerable to Sybil attacks.
    vasild commented at 4:56 AM on August 20, 2022:

    All this applies to I2P and CJDNS too. Should we put this text in a new doc/network_security.md and mention Tor/I2P/CJDNS there? (if "yes", then the above 2 suggestions are irrelevant)

    Rspigler commented at 5:21 AM on August 20, 2022:

    Or should we just mention the sybil risk in each doc? What else would be placed in the security doc? For example, would #25883 be placed there

    jonatack commented at 11:05 AM on August 20, 2022:

    FWIW we do already mention the Sybil risk in the I2P doc (and the smaller anonymity set in both the I2P and CJDNS docs):

    I2P support was added to Bitcoin Core in version 22.0 and there may be fewer I2P
peers than Tor or IP ones. Therefore, using I2P alone without other networks may
make a node more susceptible to [Sybil
attacks](https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack). You can use
`bitcoin-cli -addrinfo` to see the number of I2P addresses known to your node.
    vasild commented at 5:27 PM on August 24, 2022:

    Or should we just mention the sybil risk in each doc?

    Yeah. That is an option, with the obvious drawback of having 3 copies of the text and that each change has to be applied to 3 places. That is strictly "no-no" for source code, less I guess, for documentation.

    What else would be placed in the security doc?

    I do not know. If the common text is just for Sybil, then maybe doc/sybil.md and refer it from here?

    For example, would #25883 be placed there

    I don't think so. The config also applies to other aspects (e.g. wallet), not just "network security".

  5. in doc/tor.md:239 in 3486996f71 outdated 
     236 | +  (even if they're onion addresses). It's also alleviated with IPv4/IPv6 connections (especially when using the `-asmap`
 237 | +  configuration option) due to the cost of obtaining IPs in many networks.
 238 | +
 239 | +  If all of your connections are controlled by a Sybil attacker, they can easily prevent you from seeing confirmed
 240 | +  transactions and, with more difficulty, even trick your node into falsely reporting a transaction as confirmed
 241 | +  on the blockchain with the most cumulative “chainwork”.
    vasild commented at 5:02 AM on August 20, 2022:

    When describing what a Sybil attack is, would it be be better to link to an external source like https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack which is more exhaustive, rather than trying to reproduce it here?

    Rspigler commented at 5:20 AM on August 20, 2022:

    I don't think we should be linking to external sources in our docs (and I think that's been our policy previously)

    jonatack commented at 10:59 AM on August 20, 2022:

    Would invert the order of the above two paragraphs so that the addnode one is after the Sybil attack description, perhaps mention that a connection to a single honest peer is enough to thwart an attempted eclipse, and perhaps bring I2P and CJDNS into the discussion -- bitcoind users have more options than clearnet and Tor.

    jonatack commented at 11:06 AM on August 20, 2022:

    I don't think we should be linking to external sources in our docs (and I think that's been our policy previously)

    We already link to https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack in doc/i2p.md. (I don't have a strong opinion in this case, just pointing out that it's there.)

    vasild commented at 5:33 PM on August 24, 2022:

    I know links can break, but we can't really copy-paste the whole wisdom of the Internet into the doc/ directory. Maybe summarize in 1 sentence what is a Sybil attack and mention e.g. "for more information see https://..." so that if the link breaks, it would not render our doc useless. No strong opinion.

  6. in doc/tor.md:245 in 3486996f71 outdated 
     242 | +
 243 | +**Network Partitioning**
 244 | +
 245 | +  If too many nodes use `onlynet=onion`, it could become difficult for onion nodes to communicate with clearnet nodes,
 246 | +  preventing the Tor network from seeing recent transactions and blocks. It is essential that some nodes access both
 247 | +  clearnet and Tor.
    vasild commented at 5:05 AM on August 20, 2022:

    I am not sure I grasp this. Do you mean the following:

    If all nodes that connect to the Tor network use onlynet=onion, it would be impossible for onion nodes to communicate with the rest of the network...

    Rspigler commented at 5:33 AM on August 20, 2022:

    Those nodes could still have incoming connections. But the concern is the network partitioning risk from having a super majority of Tor nodes only having outgoing connections to the Tor network. Many people think Tor-only is the safest, but there are many risks which I think is important to state in the docs

    jonatack commented at 10:53 AM on August 20, 2022:

    "it could become difficult for onion nodes to communicate with clearnet nodes" -> maybe "clearnet, I2P, and CJDNS nodes"

    vasild commented at 6:37 PM on August 24, 2022:

    If too many nodes use onlynet=onion

    This is probably not what you want to say. It means that if now many (e.g. 1000) new nodes are added that use onlynet=onion this would be a problem somehow. I think the concern here is about the ratio of "nodes that access the Tor network + other networks" / "nodes that access the Tor network only".

    preventing the Tor network from seeing recent transactions and blocks

    This implies that recent transactions and blocks are created outside of the Tor network. But some could be first/only broadcast in the Tor network.

    Suggestion:

    If too many of the Tor nodes use onlynet=onion, it could become difficult for Tor nodes to communicate with the rest of the network, increasing the chance of network partitioning. It is essential that some nodes access Tor nodes and nodes on other networks.

  7. MarcoFalke renamed this:
    Tor Only Sybil Warnings
    doc: Tor Only Sybil Warnings
    on Aug 20, 2022
  8. PulpCattel commented at 8:04 AM on August 20, 2022: none

    I'm curious why nobody ever mentions the difference (which seems quite big to me) between targeted and non-targeted Sybil attack. As added in this PR:

    As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor nodes and receive all of the outbound Tor connections an onlynet=onion node makes.

    This is clearly non-targeted and it's an attack against the entire network. Onion connections are anonymous, so the attacker can't easily (hopefully not at all) distinguish users. Therefore, this is much easier to spot as an attack and it can't be directed efficiently against one single peer.

    On the other hand, clearnet, as much as:

    It's also alleviated with IPv4/IPv6 connections (especially when using the -asmap configuration option) due to the cost of obtaining IPs in many networks.

    appears to me much more vulnerable to targeted attack (your IP address can make you a sitting duck.), which are much harder to spot.

    Is this ignored because it's considered an irrelevant distinction, or are there other reasons? To be clear, I agree with the warnings added in this PR, I'm just curious as to why the arguments above are not considered/expressed.

  9. DrahtBot added the label Docs on Aug 20, 2022
  10. jonatack commented at 11:09 AM on August 20, 2022: contributor

    (Before the next push, remove the extra spaces and run test/lint/lint-whitespace.py locally to be sure you fixed the linter failure).

  11. doc: Tor Sybil warning 09beadc32b
  12. Rspigler force-pushed on Aug 21, 2022
  13. naumenkogs commented at 7:51 AM on August 24, 2022: member

    Concept ACK. Seems like a worthy doc improvement, but the text is far from perfect. I won't overwhelm the discussion with my suggestions for now, and come by once the other comments are addressed.

  14. Rspigler commented at 11:20 PM on August 24, 2022: contributor

    I picked up all the suggestions, and am making a sybil.md doc

  15. Rspigler closed this on Aug 24, 2022
  16. bitcoin locked this on Aug 24, 2023
Contributors
RspiglervasildjonatackPulpCattelnaumenkogs
Labels
Docs
Linked (view graph)
#22316 doc: Add 5 privacy recommendations in tor.md#25927 docs: create sybil.md
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-14 21:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me