Walletwasabi: Warning when clearnet node connection

Created on 27 Jul 2019  路  6Comments  路  Source: zkSNACKs/WalletWasabi

Problem

When connecting to the remote full node over clearnet, and it's not a local host, then afaik the traffic is not encrypted. When broadcasting a transaction, then it is transferred to the remote node unencrypted, leading to network level deanonymization.

Solution

When the user doesn't run his node over tor [check input of 127.0.0.1 / or *.onion], we can't really do anything about this... But we can at least add a red warning message that there are privacy risks.
When you connect you your remote node over clearnet, then you loose the network level privacy protections of tor.

[Somewhat related to #1618 #1945 #996]
Thanks to @kixunil for pointing this out in DM.

picture MaxHillebrand

All 6 comments

Does this mean that the traffic could be MITM'd? That seems like a huge problem with potential for an attacker to MITM and alter the "send to" address in a transaction. I'm not expert in network matters, so please correct me if this is wrong. If it is correct, then a red warning message is very appropriate and should urge the use of a VPN to have a tunneled/secure connection.

davterra picture davterra on 27 Jul 2019

Well, I think [but am not sure] there is a risk of MITM, but it's "only" about privacy [meaning the MITM knows your transaction and coins] but not about stealing sats. The final signed transaction cannot be changed - if the attacker changes the signed message by switching the output, then the signature is no longer valid and it will not get confirmed.

MaxHillebrand picture MaxHillebrand on 27 Jul 2019

Oh, of course. Hopefully, that would have been obvious to me if I'd waited to read/reply until after I'd had my first cup of coffee of the day. It's early morning where I am. Thanks for the gentle correction.

davterra picture davterra on 27 Jul 2019
1

Regardless, I think your warning message is a good idea pertaining to anonymity concerns.

davterra picture davterra on 27 Jul 2019

It is impossible to decide from Wasabi if the connection is encrypted or not, thus we don't have a basis to warn for. Although I was talking about Tor here, the same arguments apply: https://github.com/zkSNACKs/WalletWasabi/pull/2029#pullrequestreview-267505107

The sad thing is that this feature was designed to communicate through localhost only, and wasn't designed to be exposed to the Internet, but some people (@MaxHillebrand was leading them 馃槃) were very enthusiastic about that they can do this, too so they did.

Anyhow, as of today it is only used for block fetching, but those blocks are validated by the coordiantor and if they're fake they'll not be accepted by Wasabi client, so it's not insecure exposing it to the Internet.

However when we do a proper full node integration, we'll have to think about this insecurity. For now, I'll just defer this non-issue for the future when it'll become an issue we'll solve it.

nopara73 picture nopara73 on 28 Jul 2019
👍1

Good point, if this is revisited later,maybe the message should be dismissable with a text like "Are you sure the connection is encrypted or secured in other way?"

Kixunil picture Kixunil on 28 Jul 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MaxHillebrand picture MaxHillebrand  路  3Comments
gabridome picture gabridome  路  3Comments
MaxHillebrand picture MaxHillebrand  路  3Comments
yahiheb picture yahiheb  路  3Comments
nopara73 picture nopara73  路  3Comments