The problem can be summarized by the following quote:
“By exploiting Bitcoin’s anti-DoS protection a low-resource attacker
can force users which decide to connect to the Bitcoin network through
Tor to connect exclusively through her Tor Exit nodes or to her Bitcoin
peers, totally isolating the client from the rest of the Bitcoin P2P
network. This means that combining Tor with Bitcoin may have serious
security implications for the users: 1) they are exposed to attacks in
which an attacker controls which Bitcoin blocks and transactions the
users is aware of; 2) they do not get the expected level of anonymity. ”
I proposed documenting two more features of Electrum to help solve the
first problem.
“The second main contribution is a fingerprinting technique for Bitcoin
users by setting an “address cookie” on the user’s computer. This can
be used to correlate the same user across different sessions, even if
he uses Tor, hidden-services or multiple proxies.”
I have never heard of this attack before reading this article. I am not
sure if Electum is vulnerable to this cookie or if it could be saved in
Tails persistence. My guess is that this vulnerability is just for full
nodes or Bitcoin Core clients.
A possible long-term solution would be to find trusted Electrum server
onion addresses and start Electrum with a command that forces it to
connect to that server. The traffic would be encrypted and
authenticated. Unfortunately, not many servers exist and it is
difficult to trust centralized services.
On Sat, 21 Feb 2015 17:58:36 +0000
Minoru <minoru@???> wrote:
> The article is attached to this email, but you can also find it at
> http://arxiv.org/pdf/1410.6079v2.pdf.
>
> I found an article by Alex Biryukov and Ivan Pustogarov that points
> out how easy it would be to perform an attack on an SPV wallet (such
> as Electrum) connected through the Tor network. I believe that
> bitcoin is important to the Tails mission, so Tails should continue
> to support Electrum, but we need to work towards a long-term solution
> to this problem. So far, we have the SPV vulnerability documented in
> Tails 1.3. For Tails 1.3.1, I am going to write some more
> documentation such as waiting for block confirmations and how to
> transfer a watching-only copy of a wallet to another computer.
