Network sent datas

[chmod777]

Hi,

When a person transfers BTC, what information is transferred on the network. Someone who listens to the network can access what data. I'm curious about security.

[1714007802]

1714007802

[1714007802]

1714007802

[ranochigo]

Bitcoin transactions are transferred through a hex string that contains the transaction information. The hex string is signed with the private key of the address that has the coin.

It is not possible for people to steal Bitcoins through MITM attack. The raw transaction does not contain any sensitive information that would allow one to steal your Bitcoins.

However, you can be tricked into accepting a payment when it the payment isn't on the actual network. The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments.

[DannyHamilton]

When a person transfers BTC, what information is transferred on the network. Someone who listens to the network can access what data.

Every transaction relays the following information:

• A 4 byte version number
• A variable length (1 to 9 bytes) integer indicating the number of transaction inputs
• The list of inputs
• A variable length (1 to 9 bytes) integer indicating the number of transaction outputs
• The list of outputs
• A 4 byte lock_time

Each input in the list of inputs contains the following information:

• A 32 byte (SHA256) hash of the transaction that contains the output being spent as an input
• A 4 byte index indicating which output is being spent from that transaction
• A variable length (1 to 9 bytes) integer indicating the length (in bytes) of the scriptSig
• The scriptSig (the proof that you are authorized to spend the output in this input)
• A 4 byte sequence number

Each output in the list of output contains the following information:

• An 8 byte non-negative integer giving the number of Satoshis to be transfered
• A variable length (1 to 9 bytes) integer indicating the length (in bytes) of the scriptPubKey
• The scriptPubKey (a script that describes the proof that MUST later provide in an input if you intend to spend this output)

I'm curious about security.

What security concerns are you curious about?  Perhaps we can explain better if you describe your concerns.

[chmod777]

So when you transfer money from one address to another, only that information is being used?

When a person transfers BTC, what information is transferred on the network. Someone who listens to the network can access what data.

Every transaction relays the following information:

• A 4 byte version number
• A variable length (1 to 9 bytes) integer indicating the number of transaction inputs
• The list of inputs
• A variable length (1 to 9 bytes) integer indicating the number of transaction outputs
• The list of outputs
• A 4 byte lock_time

Does my real curiosity really provide anonymity? For example, when I send this message, the data transfer between me and the server is certain. If you do not hide your IP address, this message can be detected very conveniently from my computer. (https://browserleaks.com/)

When transferring money from Bitcoin wallets, is there any information transfer about my computer? Can they find out who owns the transfer address?

[Lauda]

When transferring money from Bitcoin wallets, is there any information transfer about my computer? Can they find out who owns the transfer address?

The first node(s) that receive the TX do receive the origin IP as well. I think that's about it regarding 'informality about your computer'. There are ways to mitigate this:

• Use a VPN.
• Use TOR.
• Set up your own node and connect your client only to it. Other nodes will only see the origin IP as the IP of your node.

All of the above really depends on the wallet that you're using though (it was written as if you were using Bitcoin Core). The origin IP doesn't really give away any important information about you (e.g. you could be connected to a public Wi-Fi network).
Minor update as per achow's post: The nodes that you are directly connected to can not know whether the TX originated from your IP or you were just relaying someone else's transaction.

[achow101]

So when you transfer money from one address to another, only that information is being used?

Yes. Only the outputs being spent from and the outputs being created are all that is really used. The outputs being created typically contain the hash of your public key. That is the only way to identify who owns that transaction.

Does my real curiosity really provide anonymity? For example, when I send this message, the data transfer between me and the server is certain. If you do not hide your IP address, this message can be detected very conveniently from my computer. (https://browserleaks.com/)

When transferring money from Bitcoin wallets, is there any information transfer about my computer? Can they find out who owns the transfer address?

Not easily. The Bitcoin protocol does not contain anything about IP addresses or other computer information relevant to identifying you. There is no need for any of that information. Block explorers who do give that information are both not definitive and only relative to their own nodes (e.g. blockchain.info's "relayed by IP" field in transactions can only show the node that told blockchain.info about the transaction, not the node that sent it).

Since Bitcoin uses a gossip protocol so that every node on the network receives the transaction, the only people who know the IP where the transaction originated from are the nodes that you are directly connected to. Even so, those nodes cannot be sure that you are the originator and not just someone else relaying a transaction that they don't know about yet. The other nodes have to be connected to every single other node on the network (an impossible task) in order to truly determine with certainty that the transaction originated from your node. This kind of attack (called a sybil attack) is very hard to do as it is impossible to know the IP address of every single node on the network and not all nodes will connect to the attacker's node(s)

Even with a sybil attack you can still use IP address hiding techniques such as a VPN or TOR in order to hide your IP address.

[chmod777]

Bitcoin transactions are transferred through a hex string that contains the transaction information. The hex string is signed with the private key of the address that has the coin.

It is not possible for people to steal Bitcoins through MITM attack. The raw transaction does not contain any sensitive information that would allow one to steal your Bitcoins.

However, you can be tricked into accepting a payment when it the payment isn't on the actual network. The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments.

This is an important issue you mentioned. Even if they can not steal our bitcoins directly with MITM attack, they can deceive us with different social engineering methods by pretending to have received our payments. We could lose money.

[devans]

This is an important issue you mentioned. Even if they can not steal our bitcoins directly with MITM attack, they can deceive us with different social engineering methods by pretending to have received our payments. We could lose money.

Could you give an example of how such an attack would look? I'm having a hard time imagining how a third party could do harm by pretending it received a payment from me.

[chmod777]

@Lauda
@achow101

Thanks for the answers

This is an important issue you mentioned. Even if they can not steal our bitcoins directly with MITM attack, they can deceive us with different social engineering methods by pretending to have received our payments. We could lose money.

Could you give an example of how such an attack would look? I'm having a hard time imagining how a third party could do harm by pretending it received a payment from me.

That's not what I want to say: "how a third party could do harm by pretending it received a payment from me."
That's what I want to say: "they can trick you into thinking that you have received payments"

I wrote this according to ranochigo's message. It is not difficult to produce a scenario if this is possible.

[shorena]

@Lauda
@achow101

Thanks for the answers

This is an important issue you mentioned. Even if they can not steal our bitcoins directly with MITM attack, they can deceive us with different social engineering methods by pretending to have received our payments. We could lose money.

Could you give an example of how such an attack would look? I'm having a hard time imagining how a third party could do harm by pretending it received a payment from me.

That's not what I want to say: "how a third party could do harm by pretending it received a payment from me."
That's what I want to say: "they can trick you into thinking that you have received payments"

I wrote this according to ranochigo's message. It is not difficult to produce a scenario if this is possible.

Many things are possible if people are stupid enough to believe you. E.g. this address -> https://blockchain.info/address/1QLbGuc3WGKKKpLs4pBp9H6jiQ2MgPkXRp

is advertised as Bitcoin Magic Doubler including a service thread here -> https://bitcointalk.org/index.php?topic=1357858.0

People send coins to the address and instantly get a transaction "back". This will however never confirm and it in fact only shows on blockchain.info. Which makes people use these inputs to fool others in turn.
-> https://blockchain.info/tx/d83b29b81ad3a2e4d084dd583847cd87d278f3255a9301f74a668479aab13266

[DannyHamilton]

That's not what I want to say: "how a third party could do harm by pretending it received a payment from me."
That's what I want to say: "they can trick you into thinking that you have received payments"

And this is what you did say:

. . . they can deceive us . . . by pretending to have received our payments. We could lose money.

I wrote this according to ranochigo's message.

This message?

Bitcoin transactions are transferred through a hex string that contains the transaction information. The hex string is signed with the private key of the address that has the coin.

It is not possible for people to steal Bitcoins through MITM attack. The raw transaction does not contain any sensitive information that would allow one to steal your Bitcoins.

However, you can be tricked into accepting a payment when it the payment isn't on the actual network. The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments.

It is not difficult to produce a scenario if this is possible.

Not difficult?

First you need to isolate your victim from the entire internet so they can't see the REAL bitcoin network (without them realizing that you've done this).
Then you need to connect a bitcoin node directly to their bitcoin wallet (without them realizing that you've done this).
Then you need to convince the victim to accept an UNCONFIRMED transaction.
Then you need to get away and avoid being identified once they re-connect to the REAL bitcoin network and discover that the UNCONFIRMED transaction was fake.

That sounds difficult to me.
The victim can avoid this problem by waiting for the transaction to confirm.

If you want to fool a victim into thinking that the transaction has confirmed, you'll need a LOT of hash power.  This will be difficult to acquire and set up, and expensive to run.

This will however never confirm and it in fact only shows on blockchain.info. Which makes people use these inputs to fool others in turn.
-> https://blockchain.info/tx/d83b29b81ad3a2e4d084dd583847cd87d278f3255a9301f74a668479aab13266

Another problem which can be avoided by simply waiting for the transaction to CONFIRM.

If you want to accept unconfirmed transactions, then you should take the time to learn how to evaluate the risk associated with a given unconfirmed transaction.

[shorena]

-snip-
Another problem which can be avoided by simply waiting for the transaction to CONFIRM.
-snip-

Well, not for the person participating in the "doubler" as they have to send first. For everyone else, yes.

[DannyHamilton]

Well, not for the person participating in the "doubler" as they have to send first. For everyone else, yes.

Certainly.  It will always be possible to trick gullible people into sending bitcoins that they shouldn't have.

(such as sending to the "doubler")

But the conversation in this thread was about being fooled into thinking you have received a payment:

. . . trick you into thinking that you have received payments.

. . . pretending to have received our payments. We could lose money.

. . . a third party could do harm by pretending it received a payment from me.

. . . That's what I want to say: "they can trick you into thinking that you have received payments" . . .

[chmod777]

I wrote this according to ranochigo's message.

This message?

Bitcoin transactions are transferred through a hex string that contains the transaction information. The hex string is signed with the private key of the address that has the coin.

It is not possible for people to steal Bitcoins through MITM attack. The raw transaction does not contain any sensitive information that would allow one to steal your Bitcoins.

However, you can be tricked into accepting a payment when it the payment isn't on the actual network. The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments.

It is not difficult to produce a scenario if this is possible.

Not difficult?

First you need to isolate your victim from the entire internet so they can't see the REAL bitcoin network (without them realizing that you've done this).
Then you need to connect a bitcoin node directly to their bitcoin wallet (without them realizing that you've done this).
Then you need to convince the victim to accept an UNCONFIRMED transaction.
Then you need to get away and avoid being identified once they re-connect to the REAL bitcoin network and discover that the UNCONFIRMED transaction was fake.

That sounds difficult to me.
The victim can avoid this problem by waiting for the transaction to confirm.

If you want to fool a victim into thinking that the transaction has confirmed, you'll need a LOT of hash power.  This will be difficult to acquire and set up, and expensive to run.

I'm new to bitcoin. There's a lot I do not know about Bitcoin.
If theoretically this sentence is correct: "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments."
Then it would not be hard to produce scenarios for the attacker. Needless to say, there must be a monetary gain to cover the cost of the attack.
How much does it cost you to carry out such an attack? (to create a technical sub build)

[DannyHamilton]

. . . If theoretically this sentence is correct: "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments."
Then it would not be hard to produce scenarios for the attacker.

There's a very big difference between "It can be done" and "It would not be hard to do".

If theoretcially this sentence is correct: "A person can acquire the necessary materials and build a nuclear explosive device with a 13 kiloton yield".

It does NOT mean that you can say: "It would not be hard to produce usable scenarios for an attacker".

Needless to say, there must be a monetary gain to cover the cost of the attack.

Typically.

How much does it cost you to carry out such an attack?

That depends on how you want to do it.  You suggest that scenarios are not difficult.  Suggest a scenario, and we'll see if you and I can realistically estimate the costs together.

[chmod777]

. . . If theoretically this sentence is correct: "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments."
Then it would not be hard to produce scenarios for the attacker.

There's a very big difference between "It can be done" and "It would not be hard to do".

If theoretcially this sentence is correct: "A person can acquire the necessary materials and build a nuclear explosive device with a 13 kiloton yield".

It does NOT mean that you can say: "It would not be hard to produce usable scenarios for an attacker".

Needless to say, there must be a monetary gain to cover the cost of the attack.

Typically.

How much does it cost you to carry out such an attack?

That depends on how you want to do it.  You suggest that scenarios are not difficult.  Suggest a scenario, and we'll see if you and I can realistically estimate the costs together.

It's a simple script. The following are written to give an idea only. I do not feel like doing something like that. Nobody should do anything like that. Defrauding people is something very wrong. You do not have the right to steal anyone's money. It's written just to be a brainstorming. Also, this scenario is also written to get our own security.

We hunt our victims over social media sites. We use female profiles for this. For 3-4 months, we play a game-enthusiastic young girl on facebook. This young girl will be a person interested in bitcoin at the same time. On Steam, you can already buy games with bitcoin. So this young girl will be contacted by players who have knowledge about bitcoin.

This young girl will be our friend, so it's a real profile. The commission will be given to each of the gross proceeds made. Technical infrastructure will be provided by IT specialists friends (network and software). The important thing is that we can have faith and trust. For this, the young girl will sell BTC for 3-4 months. This will not be cheat for 3-4 months. The money issuer will really be sold to BTC.

Victims will be selected from different countries. So different facebook accounts will be created for different countries. The victim will only face to face meeting girls who are our friends. But the meeting will be on the ground we set up. This place will be a place for computer enthusiasts. The whole network infrastructure here will be our control.

The real cheat will begin once you have had enough confidence. People will be defrauded here because they are willing to shop in the place we set up. "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments." The infrastructure described here will be prepared. And BTC will be sold in large quantities. People will think that they are receiving BTC payments on the fork bitcoin network. The country will be abandoned after the crash is over.

How much budget is needed for such an attack?

[ranochigo]

We hunt our victims over social media sites. We use female profiles for this. For 3-4 months, we play a game-enthusiastic young girl on facebook. This young girl will be a person interested in bitcoin at the same time. On Steam, you can already buy games with bitcoin. So this young girl will be contacted by players who have knowledge about bitcoin.

This young girl will be our friend, so it's a real profile. The commission will be given to each of the gross proceeds made. Technical infrastructure will be provided by IT specialists friends (network and software). The important thing is that we can have faith and trust. For this, the young girl will sell BTC for 3-4 months. This will not be cheat for 3-4 months. The money issuer will really be sold to BTC.

Victims will be selected from different countries. So different facebook accounts will be created for different countries. The victim will only face to face meeting girls who are our friends. But the meeting will be on the ground we set up. This place will be a place for computer enthusiasts. The whole network infrastructure here will be our control.

The real cheat will begin once you have had enough confidence. People will be defrauded here because they are willing to shop in the place we set up. "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments." The infrastructure described here will be prepared. And BTC will be sold in large quantities. People will think that they are receiving BTC payments on the fork bitcoin network. The country will be abandoned after the crash is over.

How much budget is needed for such an attack?

I find it hard to understand the entire concept, perhaps because its a bit wordy. I believe you are trying to say that once trust is gained, you will isolate the victim from the network?

For this to work, you would first, need the victim to connect to the network that the attacker controls.

Lets say the victim trusts the buyer and accepts an unconfirmed transaction. The transaction would only be relayed to the victim's wallet. For it to be valid, the wallet will need to verify the UXTO does indeed exist. The attacker would have to spend that exact UXTO on the real network[to a different address]. Next, the buyer will not check anything and assumes that its okay. Take note, when the buyer walks out and connects to the real internet, he will realise that he was cheated.

The other scenario is when the victim does not trust the buyer and only accepts a confirmed transaction. Everything is almost the same except that someone has to mine a block with that difficulty. The block will not be valid on the real network since the transaction was a double spent. He would still find out that its fake in the end.

Anyone that can do simple math will know why the second method isn't plausible.

You have to come out with an excuse as to why he can't connect to any other places.

Anyone who is sane will require at least a confirmation when dealing with huge amount of Bitcoins, this makes the method less viable.

[chmod777]

We hunt our victims over social media sites. We use female profiles for this. For 3-4 months, we play a game-enthusiastic young girl on facebook. This young girl will be a person interested in bitcoin at the same time. On Steam, you can already buy games with bitcoin. So this young girl will be contacted by players who have knowledge about bitcoin.

This young girl will be our friend, so it's a real profile. The commission will be given to each of the gross proceeds made. Technical infrastructure will be provided by IT specialists friends (network and software). The important thing is that we can have faith and trust. For this, the young girl will sell BTC for 3-4 months. This will not be cheat for 3-4 months. The money issuer will really be sold to BTC.

Victims will be selected from different countries. So different facebook accounts will be created for different countries. The victim will only face to face meeting girls who are our friends. But the meeting will be on the ground we set up. This place will be a place for computer enthusiasts. The whole network infrastructure here will be our control.

The real cheat will begin once you have had enough confidence. People will be defrauded here because they are willing to shop in the place we set up. "The attacker can isolate you from the Bitcoin network and use Bitcoin on their fork. With this, they can trick you into thinking that you have received payments." The infrastructure described here will be prepared. And BTC will be sold in large quantities. People will think that they are receiving BTC payments on the fork bitcoin network. The country will be abandoned after the crash is over.

How much budget is needed for such an attack?

I find it hard to understand the entire concept, perhaps because its a bit wordy. I believe you are trying to say that once trust is gained, you will isolate the victim from the network?

For this to work, you would first, need the victim to connect to the network that the attacker controls.

Lets say the victim trusts the buyer and accepts an unconfirmed transaction. The transaction would only be relayed to the victim's wallet. For it to be valid, the wallet will need to verify the UXTO does indeed exist. The attacker would have to spend that exact UXTO on the real network[to a different address]. Next, the buyer will not check anything and assumes that its okay. Take note, when the buyer walks out and connects to the real internet, he will realise that he was cheated.

The other scenario is when the victim does not trust the buyer and only accepts a confirmed transaction. Everything is almost the same except that someone has to mine a block with that difficulty. The block will not be valid on the real network since the transaction was a double spent. He would still find out that its fake in the end.

Anyone that can do simple math will know why the second method isn't plausible.

You have to come out with an excuse as to why he can't connect to any other places.

Anyone who is sane will require at least a confirmation when dealing with huge amount of Bitcoins, this makes the method less viable.

Only in this scenario will the victim think the process has been verified. All transactions will go through our network. Bitcoin will think he gets paid when he looks at his wallet.

Also the system will work through our DNS addresses. So when he wants to enter the popular sites used for Bitcoin, he will be connected to fork sites. If a site like blockchain.info wants to check the operation, it will appear as if the transaction has been approved because it has logged into our fork site.

The only problem here is that the victim wants to use his own mobile internet. Devices that weaken the mobile signal power can be used. So he will have to use our network.

[ranochigo]

Only in this scenario will the victim think the process has been verified. All transactions will go through our network. Bitcoin will think he gets paid when he looks at his wallet.

Also the system will work through our DNS addresses. So when he wants to enter the popular sites used for Bitcoin, he will be connected to fork sites. If a site like blockchain.info wants to check the operation, it will appear as if the transaction has been approved because it has logged into our fork site.

The wallet will only show a confirmation if a valid block is relayed to it. The UXTO need to exist in the first place for the wallet to acknowledge the transaction. Otherwise, this attack is guaranteed to fail.

Your DNS method may work with some certainty. Phones usually keeps a DNS cache of the website that they have visited before. This means that the phone will not necessarily contact your DNS server. I'm not sure if the browser will throw a warning if the connection gets redirected. This method can only work if the user only relies on the block explorer to check for transactions.

[DannyHamilton]

Only in this scenario will the victim think the process has been verified. All transactions will go through our network. Bitcoin will think he gets paid when he looks at his wallet.
- snip -

Only if you have enough hash power to solve a block at the current difficulty in a reasonable amount of time. SPV wallets and Full Node wallets will all reject any invalid block you attempt to provide.

If you've got that much hash power, you can make a lot more money actually solving legitimate blocks and broadcasting them instead of solving fake blocks and then throwing the blocks away.