Bitcointalk Onion Address (Proposal)

[AverageGlabella]

I would like to think that most of the members on the forum are privacy conscious and if Bitcoin related websites are being blocked by their ISP Tor or VPNs are the only option for them to be able to connect. VPNs you never really know whether they store logs or not even if they are claiming that they do not. Tor in this case is the best option but without a dedicated onion address the person is forced to use a tor exit node which might be controlled by those that are attempting to block them from accessing Bitcoin related websites or could be targeting those that use Bitcoin.

I think by creating a dedicated onion address for Bitcointalk.org we are not only allowing those that might be blocked by their ISP but we are allowing those to access the website without compromising their privacy at the exit node.

I don't think it would cost too much to set this up and it would be a great upside for those that are using Tor and with the captcha bypass that we already have in place you would not need to remove the captcha based system for lower ranked members.

[1715236098]

1715236098

[1715236098]

1715236098

[1715236098]

1715236098

[1715236098]

1715236098

[1715236098]

1715236098

[Quickseller]

I am not sure if CloudFlare affects tor users, but the forum is already accessible via tor. Even if a .onion address were to be setup, users would still need to solve a captcha to sign up and login for the first time.

If connecting via tor, an ISP would be unable to block any connection to the forum, unless it is also blocking connections to tor. The way that tor is setup, exit nodes do not know who the end user is, and the forum uses SSL, so all the exit node knows is that someone is accessing the forum, but can not know what they are reading, writing, or sending via PM.

[dkbit98]

Having bitcointalk .onion address would be interesting to see but keep in mind that Tor is not perfect and I recently saw that over 25% of all Tor exit relays spied on users web activities according to hackernews.
One unidentified entity is controlling large percent of exit nodes and probably using it to perform some man-in-the-middle attacks, and this could be some hacker or maybe even government agency.
In theory this could mean that someone could potentially do the same thing with Bitcointalk forum or any other website and steal passwords and login information for members, or change addresses.

The main purpose of the attack, according to nusenu, is to carry out "person-in-the-middle" attacks on Tor users by manipulating traffic as it flows through its network of exit relays. Specifically, the attacker appears to perform what's called SSL stripping to downgrade traffic heading to Bitcoin mixer services from HTTPS to HTTP in an attempt to replace bitcoin addresses and redirect transactions to their wallets instead of the user-provided bitcoin address.

https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html

[hugeblack]

The domain address is not a problem. If BitcoinTalk.org is banned, @admin can change the domain to XXXXXX.org and then easily users return to using their forum.
The strength of the forum in the database and the communication between people in the forum, not the domain name.
Overall, there have not been many updates to the forum in a while and I think we deserve to have some.

[Quickseller]

Having bitcointalk .onion address would be interesting to see but keep in mind that Tor is not perfect and I recently saw that over 25% of all Tor exit relays spied on users web activities according to hackernews.
One unidentified entity is controlling large percent of exit nodes and probably using it to perform some man-in-the-middle attacks, and this could be some hacker or maybe even government agency.
In theory this could mean that someone could potentially do the same thing with Bitcointalk forum or any other website and steal passwords and login information for members, or change addresses.

The main purpose of the attack, according to nusenu, is to carry out "person-in-the-middle" attacks on Tor users by manipulating traffic as it flows through its network of exit relays. Specifically, the attacker appears to perform what's called SSL stripping to downgrade traffic heading to Bitcoin mixer services from HTTPS to HTTP in an attempt to replace bitcoin addresses and redirect transactions to their wallets instead of the user-provided bitcoin address.

https://thehackernews.com/2021/05/over-25-of-tor-exit-relays-are-spying.html

You can defeat this attack by forcing your browser to only accept HTTPS connections to the forum (or to the mixing site you are visiting).

[suchmoon]

Since this forum already use CloudFlare, maybe CloudFlare Onion Service could be considered to implement .onion address. But, i don't know privacy implication of using this service.

Cloudflare is already forcing .onion on Tor users and it's not working well with Bitcointalk: https://bitcointalk.org/index.php?topic=5281382

And of course privacy is like with everything else via Cloudflare, i.e. non-existent.

[LTU_btc]

I think it's good idea. I only don't agree with your thinking that most users here are privacy conscious. Unfortunately it's not true. I think that many users here wouldn't even be against KYC if they would be required to do it.

The domain address is not a problem. If BitcoinTalk.org is banned, @admin can change the domain to XXXXXX.org and then easily users return to using their forum.
The strength of the forum in the database and the communication between people in the forum, not the domain name.
Overall, there have not been many updates to the forum in a while and I think we deserve to have some.

Domain name is also big part of forum. Yes, theymos can add alternative domains, but I think it can cause some issues. It may be difficult to know for some people which domain is official and which aren't. It's likely that number of people who fall into phishing websites would increase.

[suchmoon]

I didn't know about it, since the domain isn't changed. Do you know any reliable information about this behavior?

You can check the response headers - if you are using tor it may send alt-svc with the onion address, and e.g. recent versions of Tor Browser have the feature enabled so it will use it. The other part (about it causing timeouts etc) might be something that happens only to me but it would be really bizarre that I had the issues on a fresh install and no one else is experiencing it... so not sure what to make of it.

At any rate, alt-svc is the wrong way to do it. The user should be aware which site they're connecting to. And CF incorrectly detects Tor users so it will likely screw up some regular browsers or fail to provide alt-svc to some Tor users.

[AverageGlabella]

I am glad to see one support and its not theymos job to implement something just so we can have more privacy as it does not benefit him in any way but it would be appreciated.

Does anyone know the cost or maintenance required to setting this up?

I think it's good idea. I only don't agree with your thinking that most users here are privacy conscious. Unfortunately it's not true. I think that many users here wouldn't even be against KYC if they would be required to do it.

Yes that might be true and might be a assumption by me but I would think that a Bitcoin or cryptocurrency forum would be more concerned about their privacy than the general population. This is why I tried to give examples of people who might be blocked from accessing the forum or other Bitcoin related websites.

[Insanerman]

Does anyone know the cost or maintenance required to setting this up?

AFAIK if you use Tor's services it is free to create your .onion domain but you need to consider the costs of your own server which the forum already has and is being maintained. But as for a personal suggestion, this .org address is really enough as you can still use VPN when you log on plus .onion websites is just somehow the same as .org websites but only has encrypted connection to the server and cannot be accessed without using Tor and VPN services. Basically, if you are privacy conscious user, then strengthening your credentials is enough. It would be hassle I guess to the management of the forum to implement something that doesn't really answers any problem.

[Quickseller]

Does anyone know the cost or maintenance required to setting this up?

I would think it would be very low.

One problem that no one has mentioned is the difficulty mitigating DDoS attacks that originate from Tor. CF can help with you have a clearnet site, but I don't think they would be of much use when using a .onion site. With a .onion site, an attacker could send as much traffic the tor network can handle, and you wouldn't really be able to tell between 'good' traffic and that from the attacker. A few years ago, the forum was the subject of a months-long DDoS attack that only stopped when theymos started using CF.

[Timelord2067]

Banned users attempting to regain access to the forum can be identified by their IP addresses prior to their regaining entry (how many times have you seen a user has been "autobanned" ??)

Similarly, users have asked admin/mods to check their IP addresses to either confirm they are who they say they are, or, to counter an accusation they are something when they are not.

[suchmoon]

I tried it few times (reload page, change Tor circuit and use Tor Browser on VirtualBox), but i can't reproduce it (never see the "alt-svc" on response header).

Try restarting Tor Browser and check headers the first time you access bitcointalk.org (make sure to have the dev tools open before you access the site). I think the header is sent only when the browser connects via an exit node, which would be the first connection, and after that the browser may already be connecting via onion so would not be getting the alt-svc header.

Also check if you have alt-svc enabled:

[Chikito]

Maybe this is the answer.

.onion is even worse for DDoS attacks because the clients are all anonymous, so you can't ban abusive IPs. That's why I haven't created a .onion, even though it would be very easy to do.

[ABCbits]

I tried it few times (reload page, change Tor circuit and use Tor Browser on VirtualBox), but i can't reproduce it (never see the "alt-svc" on response header).

Try restarting Tor Browser and check headers the first time you access bitcointalk.org (make sure to have the dev tools open before you access the site). I think the header is sent only when the browser connects via an exit node, which would be the first connection, and after that the browser may already be connecting via onion so would not be getting the alt-svc header.

Also check if you have alt-svc enabled:

Now i can see the alt-svc parameter on response header. But the weird thing i can't use the onion link to access this forum, with or without https:// prefix.