[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

Tor exit node attacks how to protect yourself?

Again I am new to both Whonix and Linux, I tried installing a btc multibit client and abandoned it as it required Java to work and I just didn’t like the interface. My question is pertaining to tor exit node attacks. Since I have been introduced to btc I have been using the clearnet for btc transactions mainly because I had heard so many horror stories about people getting their coins stolen while conducting btc transactions on tor. They say that 99% of all malware and viruses are written for Windows and Mac and there are very few viruses for Linux. If I were to start conducting btc transactions on tor using whonix is there anything I can do protect myself from exit node attacks?
From the reading I have done it seems that majority of exit node attacks are after btc. Being so new to all this I feel that while tor/whonix grants anonymity you are also in the same world with some of the best hackers/crackers with no virus protection. Is there anything I can do particularly when it comes to btc to increase security and safety while conducting btc transactions on whonix?

Good day,

may I ask you who told you, that exit nodes would be capable of “stealing” bitcoins in any way, shape or form? Since, if that would be possible, first of all, bitcoin wouldn’t be a currency in the first place. That’s the beauty of bitcoins, that, thanks to technology’s like “blockchains”, which allow anyone to track and supervise transactions, giving it similar oversight to source codes and the way the network necessitates for every transaction to be verified, they can’t be stolen out and about. Every case of bitcoin theft I’ve heard of, happened directly on a targets computer and was the result of bad security and an easy password. Now, regarding the “99% virus thing”, someone saying such a thing in this particular manner is only partially qualified to explain technology to you, since this maybe true to a certain degree (though I would go for maybe 70%) in the home user market, however, Linux is used in so many ways, that simply talking in such absolutes is incorrect. Furthermore, malware these days actually becomes more and more “cross platform”, similarly to games in that they simply compile it for as many operating systems as possible. As a bitcoin client I’d recommend “Electrum”, simply for its small size. And as an added security measure, a proper pass phrase.

Have a nice day,

Ego

We have some page generally:

Also a chapter about bitcoin:

I may need some rework here and there. And it’s missing one advice: add multiple [trusted] bitcoin nodes that are available as Tor hidden services. As in bitcoin-qt terms “addnode”.
(https://en.bitcoin.it/wiki/Fallback_Nodes)
(Tor hidden services prevent Tor exit relays to tamper with traffic.)

“Bitcoin over Tor isn’t a good idea”:
http://arxiv.org/abs/1410.6079

Good day,

I’ve just read (or rather glossed over) the “Bitcoin over Tor isn’t a good idea paper” and maybe I’m missing the point, but doesn’t what the gentleman wrote there only apply to people providing bitcoin nodes over the Tor-network, not the ones using them? All the other things they show don’t necessarily apply to Bitcoin over Tor, but Tor in general (like the classic Sybil attack) or they apply to Bitcoin in general (like the 10% attack). Am I missing the point? Because as far as I was able to understand it, what these guys propose is irrelevant, for someone using Bitcoins as payment over Tor.

Have a nice day,

Ego

Thank you for all of your responses,

Yes Ego that is the paper I read as well. I also saw instances where a friend of mine who was using the blockchain mobile client which was fairly new at the time and it is possible the hack that caused him to lose his btc was a result of a bug that was exploited. At this point I am not using a btc client rather just logging into blockchain, what are the benefits to using a client versus the regular blockchain? Lastly, so you are saying btc transactions are safe over tor as long as you have a good passphrase and 2FA?

Thanks again

That paper does not apply to web based bitcoin ewallets. The important thing to keep in mind when ewallets using over Tor and also generally are man-in-the-middle attacks.

logging into blockchain
regular blockchain
These terms make no sense to me in that context.

https://blockchain.info/wallet ?

what are the benefits to using a client versus the regular blockchain
Local wallets are only stored on local disk.

No website operator could do a denial of service or steal the money. With an ewallet they can do this -> https://www.whonix.org/wiki/Money#eWallets

[hr]

The website passphrase only protects your login at a remote server. It does not protect you from the server.

The client passphrase only protects your key file on the local disk from being read by others who had no chance to capture that password.

[hr]

“Bitcoin over Tor isn’t a good idea” and you’ll find some popular interpretations of that paper. Not Whonix specific. Only Tor / bitcoin specific.

"Bitcoin over Tor isn’t a good idea"
but this don’t apply to electrum wallet ?

Patrick I was referring to a paper wallet that requires no client where you can just login to your wallet from the blockchain.info site, versus a client based wallet where you actually have a client installed like electrum or multibit. It sounds like using a paper wallet is a bad idea on tor given risk of MIM attacks correct?

Paper wallet is totally unrelated. That’s just a representation of a key.

The only important difference is using a web service vs using a local client program.

blockchain.info is a web service. As any web service, it can be shut down any day. For web based services, you can only look out for https based mitm attacks. Don’t ignore certificate errors. Then Tor does not matter. And then you must hope that the web based service does not mess up like MtGox did.

So regardless if I have backups of the blockchain wallet if the online service goes down my btc are gone?? Based on that are you saying that a btc client like Electrum or Multibit is a safer option?

Thanks

Ah. If they let you print out the key on paper… And if you actually tested if it works to reuse it in a local client. No, then it could be somewhat more safe. Perhaps it works should the online service be gone. But the online service can still steal all your money if compromised. So for any serious amounts of money I’d care to loose, I wouldn’t use.

I apologize but I want to be sure on this.  So you are saying an online client like Electrum would be best versus leaving btc on an online service like blockchain because the same thing that happened with Mt Gox could happen to blockchain.info?  However, I was under the impression that blockchain.info was the main btc site for all btc transactions or am I mistaken and is no different than any other online wallet??

 This brings me to my next question would it be safe to order in decreasing safety Cold storage (which I found to be very troublesome and complicated.) Then downloaded btc clients like Electrum or Multibit.  Then online wallets like blockchain.  Is that a good way to order them based on safety?  If so given cold storage is out would downloaded clients would be best compatible with Whonix?? I read that both Multi-bit and Electrum have had bugs on Whonix.  Which would you recommend?? Lastly, and not to be repetitive would you consider a blockchain.info wallet to be as risky as Mt Gox??  I was always under the impression the blockchain.info is the main btc site.

Thank you again for all of your valuable help!!

So you are saying an online client like Electrum would be best versus leaving btc on an online service like blockchain because the same thing that happened with Mt Gox could happen to blockchain.info?
Perhaps not exactly the same. I imagine they don't host directly a wallet for you, they only let you access your wallet by you giving them [temporary - depending on implementation] access to your wallet key. Giving access of your key to third parties is always risky. For example even if they claim, that all operations are done using JavaScript inside the browser, they are never receiving the key, as noble as that is, once the service gets compromised, the attackers can copy a lot keys and then do whatever they like. (Mostly transfer to an anonymous wallet of their choice.)
However, I was under the impression that blockchain.info was the main btc site for all btc transactions or am I mistaken and is no different than any other online wallet??
There is no main btc site. Bitcoin is a distributed system. Sure, there are websites and clients with more influence on the network, but there is no such thing as "main".
This brings me to my next question would it be safe to order in decreasing safety Cold storage (which I found to be very troublesome and complicated.) Then downloaded btc clients like Electrum or Multibit. Then online wallets like blockchain. Is that a good way to order them based on safety?
Yes. That's how I would handle it. - cold storage, air gap - most secure - local clients - better - web based temporary key access - worse - web based wallets worst - worst
I read that both Multi-bit and Electrum have had bugs on Whonix.
Maybe not up to date anymore. And more likely, Debian specific, not Whonix specific bugs. Post references.
If so given cold storage is out would downloaded clients would be best compatible with Whonix?
Which would you recommend?
There currently is none. This is TODO. There is a ticket: https://phabricator.whonix.org/T215 Which also implies to compare various clients with respect to security, but not done. So you're better looking at [security] comparisons by people more into Bitcoin. And as a generic, not so helpful answer, "Any that works well with Debian, and Tor, should also be fine in Whonix."
Lastly, and not to be repetitive would you consider a blockchain.info wallet to be as risky as Mt Gox??
Perhaps a bit less risky, but more like taking chances. I personally would perhaps use web based wallets for petty cash. For normal amounts, a local client and serious savings in cold storage.
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]