Why not integrate Tor into Electrum by default?

[pomo99]

It has always seemed horrible to me that with Electrum you connect to random servers that can know your IP address, your bitcoin addresses and your bitcoin balance. Behind those servers can be anyone: a government, a hacker or a Russian mafia.
In the best case, your government will demand the bitcoins knowing who you are and what you have, or a hacker will steal them from a distance, knowing your IP and taking advantage of a bug. At worst, a Russian mafia will appear at your house and make holes in your knees with a drill until you hand them all the bitcoin they know you have.

[jackg]

Meanwhile a court could demand you reveal what you've been using tor for or conclude that your use of tor might be of a fraudulent nature. You're still giving your ip to someone using tor, even if the rest of your data is encrypted they still know you're making a connection. Do you trust a random person more tha a certain trusted electrum node operator.

You can run your own personal server if you want a higher protection than tor will provide...

[bob123]

It has always seemed horrible to me that with Electrum you connect to random servers that can know your IP address, your bitcoin addresses and your bitcoin balance.

1) IP addresses have to be publicly known to communicate with each other. That's how the internet works.

2) The electrum server does not know which addresses belong to your wallet, neither does it know your balance.
Electrum is using bloom filter. Long story short, this means that addresses are being masked when sent to the server. The server only knows a superset of the addresses you are interested in.

2) Electrums privacy is bad. If you care about your privacy (even just a little bit), use Wasabi. They use compact block filters. The server will not know which address belongs to your wallet.

[...] or a hacker will steal them from a distance, knowing your IP and taking advantage of a bug.

You can not steal something or "hack" into something easily just because you know an ip address.
Even if.. there are roughly 4.000.000.000 IPv4 addresses. This number is low enough to simply try out every single ip address.

[stompix]

or a hacker will steal them from a distance, knowing your IP and taking advantage of a bug

What bug are you talking about?

At worst, a Russian mafia will appear at your house and make holes in your knees with a drill until you hand them all the bitcoin they know you have.

Yeah, I'm pretty sure the Russian Mafia will travel around the world based on IPs, miraculously locating you by that and then starting torturing you to get your bitcoins. Unless they find during their flight you have sent those coins away so they must cancel the plan and return home. Are they coming with power adaptors or do they buy their tools at the destination? Why would they think of this when they have way better sources of information already, called Facebook and Instagram. Forget IP, they can even find out the layout of your house, when your parents go to work, if you're on vacation and with what brand of dog food to bribe your dog.

-----
LE after LoyceV comment

I've removed my previous comment about the balance, and I'm just as curious as him about the server guessing it from your requests!

The client subscribes to its own addresses (nit: sha256 hashes of scriptPubKeys) so that it would be notified of new transactions touching them. It also synchronizes the existing history of its addresses. This means the client sacrifices some privacy to the server, as the server can now reasonably guess that all these addresses belong to the same entity.

[LoyceV]

2) The electrum server does not know which addresses belong to your wallet, neither does it know your balance.
Electrum is using bloom filter. Long story short, this means that addresses are being masked when sent to the server. The server only knows a superset of the addresses you are interested in.

Can you share the long version? I'd be interested to read the details on how the server can send me my balance without knowing my addresses.

[jackg]

@stompix Google says there are 500 million addresses that have had a history, if we assume 20 billion addresses have been sent to a server and these are just hashed versions(?) then it sounds bruteforceable still (but I could be wrong).

or a hacker will steal them from a distance, knowing your IP and taking advantage of a bug

What bug are you talking about?

A bug through tor is probably similarly likely as a bug through clearnet, clearnet might be less exploitable as more people look into improving its security and cisco/net gear and a few others are paid to maintain it afaik.
A dot onion doesn't stop people doing forensics on your system still, some connections don't even fully close when some apps close (even if the application programmes for it, the operating system could hang on it, get an interrupt and just not come back or it can be interrupted during normal functioning so an unsafe shutdown occurs).

There are some really stupid os enforced bugs that neither tor nor clearnet will protect you against though too...

[bob123]

Can you share the long version? I'd be interested to read the details on how the server can send me my balance without knowing my addresses.

By utilizing bloom filtering (BIP 37).

You can basically mask your addresses. The server then gathers all addresses which fit to that masks and sends you everything regarding them back.
On the client side you simply discard any data you are not interested in.

The server then basically has two options for every possible address:
1) Client is not interested in this address (not related to the wallet) or
2) Client might be interested in this address (might or might not belong to the wallet).

The factor which determines how much you protect your privacy is the false positive rate (transactions which match the filter but are not part of your wallet).

You'd be able to achieve the same by adding lots of unrelated addresses to your watch-only wallet.

This approach is by far not perfect and has its downsides. A more advanced approach would be client side block filtering (BIP 157).

[Abdussamad]

2) The electrum server does not know which addresses belong to your wallet, neither does it know your balance.
Electrum is using bloom filter. Long story short, this means that addresses are being masked when sent to the server. The server only knows a superset of the addresses you are interested in.

This is incorrect. Electrum does not use bloom filters. You're thinking of bitcoinj clients like multibit, Schildbach wallet and so on.

In the past Electrum used to reveal the addresses as is. Now electrum servers index the blockchain on the basis of hashes of addresses and that's what the client uses to query the servers. Those electrum servers could just as easily add a second index to their DBs with the preimage, that is the addresses themselves, and when the queries come in they can log what addresses are associated with what IPs. So bottom line the servers see all your addresses (up to the gap limit) and know they belong to the same wallet. They don't see your xpub.


@pomo99 Some reasons I can think of are a) Tor connectivity is less reliable than using your native internet connection b) you have to run a tor proxy. not everyone has one installed so this raises the barrier to entry because your forcing non technical users to install more software c) electrum is a lite client designed for ease of use. hardcore users are better served running their own full node using bitcoin core.

[pooya87]

it is because a lot of things can happen but that doesn't mean they do happen. not to mention that people are already leaking a lot of information about themselves online, even when they are using anonymity methods such as Tor they still leak their identity not just their bitcoin addresses!
forcing Tor by default will only make using the wallet harder for everyone.

[bob123]

This is incorrect. Electrum does not use bloom filters.

Seems like i am going to stop recommending electrum then.
With wasabi utilizing compact block filters (BIP 158), electrum no longer is the #1 wallet in my eyes.

I thought electrums privacy is only "kind of" bad with "just" using BIP37.
But this is a whole new level of privacy doesn't exist.

[pomo99]

Users concerned about this remember that they can run Electrum alongside Tor


https://i.ibb.co/g9kczpT/ele.jpg

[pooya87]

This is incorrect. Electrum does not use bloom filters.

Seems like i am going to stop recommending electrum then.
With wasabi utilizing compact block filters (BIP 158), electrum no longer is the #1 wallet in my eyes.

I thought electrums privacy is only "kind of" bad with "just" using BIP37.
But this is a whole new level of privacy doesn't exist.

Electrum is mainly recommended to others as a very user friendly desktop wallet that even beginners could potentially use whereas alternatives aren't as user friendly. it also offers the easy to use offline setup which sets it apart.
in any case i am wondering about BIP158 and how much privacy does that offer in practice since it seems to only make it harder to analyze not impossible. and more importantly how does the implementation deal with this BIP since i have yet to dissect Wasabi

[bob123]

in any case i am wondering about BIP158 and how much privacy does that offer in practice since it seems to only make it harder to analyze not impossible. and more importantly how does the implementation deal with this BIP since i have yet to dissect Wasabi

Generally, the privacy is definitely better than with BIP37. However it still depends on the implementation on how much better it is.
Not leaking your wallet addresses, but downloading full blocks from nodes in the bitcoin p2p network, already makes it much better.

Obviously, there would be some attacks like monitoring which blocks are being downloaded and compare that to the transaction graph as mentioned in the bitconi-dev mailing list.
However, by connecting via TOR, downloading each block from a different node through a new circuit (what wasabi is actually doing), as well as choosing an appropriate false positive rate (for downloading blocks which do not contain any address of yours), that's a huge gain in privacy since a simple comparison to the transaction graph is not that easily possible anymore (downloaded via different IP's / tor circuits & downloaded from different nodes & false positive rate).

With that, it is no longer trivial to establish a connection between a specific wallet and its addresses.