Bitcoin Forum
January 21, 2018, 10:48:21 AM *
News: Electrum users must upgrade to 3.0.5 if they haven't already. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: The practical aspects of running a Bitcoin node over public WiFi.  (Read 150 times)
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 10, 2018, 05:19:50 PM
 #1

I considered posting this on the tech board, but the tech aspects are just one small part of the issue. One may need to use public WiFi for a number of reasons. One could be a business traveller. Internet may not be available in some rural locations. One could have a nomadic lifestyle, or be involved in a project in an undeveloped area. I've been running a full node over public WiFi for a couple of years now, and I haven't had any real problems. However, I feel that may be luck, and I haven't managed to arrange a cash purchase yet.

Considering cash purchases - I'm concerned that the confirmation time for a purchase of £x,xxx may make this a high risk venture. Waiting an hour in a cafe with a stranger could be a mixed blessing, and at what time do you give him the cash?

Assuming one has all the normal ant-virus and other protection, what extra precautions should I take?

Downloading a new blockchain is not practical, and I would suggest copying this from a known native copy of the true blockchain.

Many have suggested that it is better to tether a mobile to synchronise the blockchain. I feel that this may not be any more secure, and can run away with bandwidth quotas.

There is a risk of the theft of your computer. Obviously one should not leave core running on an unattended computer, and wallets etc should be backed up onto a removable medium. Also I keep a copy of the blockchain on an external SSD.

Using an online wallet provider is not an option for me. It seems to be the same as leaving your money in the bank.

What extra precautions would you take if you had to take your notebook away for a two week vacation?
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
1516531701
Hero Member
*
Offline Offline

Posts: 1516531701

View Profile Personal Message (Offline)

Ignore
1516531701
Reply with quote  #2

1516531701
Report to moderator
theymos
Administrator
Legendary
*
Offline Offline

Activity: 2912


View Profile
January 10, 2018, 06:35:44 PM
 #2

Some things that come to mind:

 - There's been some academic success in getting the encryption keys from a computer via sound analysis. Computers can make different sounds depending on the data they're operating upon.
 - AFAIK both public wifi (ie. wifi where the attacker has the wifi password) and mobile-data protocols are completely broken security-wise. Wifi via arp spoofing and such, and mobile-data due to various attacks against inherently insecure protocols. So you should probably assume that the attacker controls your Internet connection completely.
 - If an attacker controls your Internet connection completely, then they can do things like preventing legit blocks from reaching you, preventing you from seeing conflicting transactions, giving you only their blocks, etc. If you get a few confirmations, you'll know that someone put a lot of effort into mining them, but you won't be able to confirm that they're the longest chain, since the attacker may be blocking the longest chain.
 - I wouldn't rely 100% on HTTPS, but it's not exactly trivial to defeat. Properly-configured ssh or OpenVPN are even better.

I think I'd do something like keeping all Bitcoin keys off of the laptop, and instead use ssh to connect to my real Bitcoin node. And then if you're really paranoid, change your laptop's ssh key right afterward.

And/or you could use an OpenVPN VPN, either purchased (in which case you're trusting the VPN service not to MITM you) or by setting up your own OpenVPN server somewhere. Then evil wifi can only block you, not interfere or monitor. But you have to make sure that it's configured correctly, since most VPN setups will by default switch to your native connection whenever it can't connect to the VPN. There are iptables rules that will prevent this.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 10, 2018, 07:17:48 PM
 #3

- There's been some academic success in getting the encryption keys from a computer via sound analysis. Computers can make different sounds depending on the data they're operating upon.
That takes me back a bit - I remember in my days of programming IBM 360 mainframes. Some guys would write programs to play music. You put a radio on top of the cpu, and ran the program. The interference on the radio created the music. Smiley

I'm really only using core to synchronise my blockchain, and to receive payments. So far I haven't spent a single Satoshi. I guess I'm the ultimate HODLer Smiley

I've got a great relationship with a hosting company. It sounds as if I should set up my own VPN. Time to do some reading I think - thanks for the reply and suggestions.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 10, 2018, 07:33:19 PM
 #4

OK - I did a bit ofreading, and I like the idea of using an Asus tinkerboard for the VPN, and some other useful things.
It looks as if that could be a useful project.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 11, 2018, 09:47:57 AM
 #5

For those of you who are interested. Here are some graphs of the synchronisation of my node  ( Bitcoin Core version v0.15.1 (64-bit) ) at a McDonalds restaurant in the UK.

Channel analysis using Acrylic
http://roamerwifi.com/stats-images/wifi-at-mcdonalds.jpg

Network traffic during initial synchronisation
http://roamerwifi.com/stats-images/bitcoin-node-synchronisation.jpg

The peer list at the time
http://roamerwifi.com/stats-images/bitcoin-peer-list.jpg
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1302

If you PM me for help, expect to pay in advance


View Profile WWW
January 12, 2018, 05:38:57 AM
 #6



I'm really only using core to [..] receive payments. [...]
This is going to be risky. It is generally trivial to impersonate a public WiFi hotspot, which would result in an attacker controlling your internet connection, and in turn controlling all of the connections of your node (for example, an attacker could pretend to be multiple different nodes connected to your node).

If you are receiving payments, an attacker could cause your node to think the most recent block is behind the actual most recent block, broadcast a high fee transaction that would be valid as of that block, however is invalid on the blockchain the rest of the network is using, causing you to believe said transaction will confirm in the next block, and tricking you into releasing valuable property to the attacker. If the trade is large enough, an attacker could also make it appear the fraudulent transaction has a confirmation when in fact said transaction is invalid. If you are using a public WiFi to connect to a VPN, this specific attack would not be possible, however you would need to trust the VPN to not perform a similar attack.

If you are using public WiFi to only spend your bitcoin, you will be much more safe. All an attacker would reasonably be able to do is prevent your transaction from broadcasting to the rest of the network, and know which transactions you are specifically broadcasting. This would be a nuisance at best, and an attacker would already know which transaction is yours if you are trading with him.

I would suggest using electrum if you are wanting to use a public WiFi connection to use bitcoin. Doing so would better hide the fact you are using Bitcoin, preventing "$5 wrench" attacks against you.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 12, 2018, 09:38:34 AM
 #7

Thanks for the reply, and for further clarification of the risks. I have an inherent dislike of using "banking" services related to Bitcoin, so I would like to stay with a core wallet if I can.

I like the idea of using a VPN, and I think I'll buy an Asus tinkerbox to see if I can filter the WiFi traffic. I've got an associated problem in that I manage a portfolio of over 600 .com domain names, and I do this over public WiFi. Hopefully a VPN would improve my security there as well. I haven't ever set up a VPN, so maybe I should blog the stages, and post that for Bitcoin Talk members. Smiley
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1302

If you PM me for help, expect to pay in advance


View Profile WWW
January 13, 2018, 04:35:51 AM
 #8

Thanks for the reply, and for further clarification of the risks. I have an inherent dislike of using "banking" services related to Bitcoin, so I would like to stay with a core wallet if I can.
I think wallet software such as electrum is very far from anything resembling a bank. I would even argue that a light wallet might even be safer than a full node over public WiFi unless you are being specifically targeted because your attacker would need to impersonate a more specific service that all his victims may not use.

Another solution would be to run bitcore on a trusted computer/connection that is also running insight. You could then connect to your node via an HTTPS connection while having a user experience very close to a block explorer except having the trust of a full node.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 13, 2018, 12:15:40 PM
 #9

I've got a bit of a psychological block about entrusting my wallet to a third party. It's probably paranoia setting in in my old age. Smiley Core doesn't seem to give me any problems, and, if I learnt how to use it properly, I gather it gives me some great facilities.

I wondered about running the connection through a remote server, and that could get over the problem of some WiFi providers blocking port 8333. The suggestions by Theymos seem to be worth exploring, especially if I can set up a Raspberry Pi, or an Asus tinkerbord to run a VPN. This could also give me the chance to run something like Wireshark to monitor the traffic.
ibminer
Legendary
*
Offline Offline

Activity: 1058


ALU Services - https://goo.gl/Yqey3W


View Profile
January 13, 2018, 05:01:07 PM
 #10

Might be worth noting that in some of these examples you could face different environments with different firewalls/filters, I've seen some locations (hospitals/schools/etc) that had VPN as well as SSH blocked. Oddly enough, in some of those scenarios the only way I could access what I had to access at that time was RDP, which was not blocked Roll Eyes. Maybe having multiple secure ways to access the node using commonly open ports (instead of standard SSH/VPN ports) could be a solution but a good filter/firewall is going to inspect traffic regardless of the port, and may not want the vpn/ssh traffic, for whatever reason. Some sort of HTTPS connection might be the most universal way if you are facing many different environments, albeit maybe not the most secure.
Jet Cash
Hero Member
*****
Offline Offline

Activity: 770



View Profile WWW
January 13, 2018, 06:00:10 PM
 #11

There area lot of local differences and restrictions, Some won't allow FTP, and some will with limitations.  The Bitcoin port 8333 is often blocked for inbound and outbound, but sometimes outbound connections are allowed. not all SSL certificates are supported, and there is often censorship by domain name.I hope to put together a review and report site.

I think running a VPN might be useful for education purposes. I've also started to read about IPFS, and this may be something we will have to use in the future.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!