doc: Add 5 privacy recommendations in tor.md #22316
Conversation
ghost
mentioned this pull request
Why? |
|
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsNo conflicts as of last run. |
|
my opinion is don't split up #21157. Splitting up #21157 adds greater burden on reviewers and burden on you with required rebases. While #21157 has required a lot of review attention, I don't think that splitting it up will make it easier to merge. If there is discussion to be had and reviewers still have feedback, seems suboptimal to split up this discussion over three PR's which all have the same purpose: to improve the tor docs. If you have made the decision to split up #21157, then you should close it in favor of the three separate PR's. |
'Improving docs' is a bigger scoping of PR which is not helping in any way. Changes to docs that are specific get merged or rejected soon.
Done |
|
ACK commit b7d465aa6d14b46c96870930679d6d5cb0b3b6f0 I think splitting the PR up how you have is beneficial (I had issues with the examples you added, but like this change and the DNS change in 22317). |
|
Please tag when examples PR is added |
|
Good changes. ACK 2c18e7f6614d665f4eb9891f83391a5317e7d113 |
|
I think there is grammatical error but not sure: --- a/doc/tor.md
+++ b/doc/tor.md
@@ -245,7 +245,7 @@ for normal IPv4/IPv6 communication, use:
As Tor addresses may be created at no cost, an attacker can potentially flood the network with many Tor
nodes and receive all of the outbound Tor connections an `onlynet=onion` node makes.
- This is significantly less a concern with if you make `-addnode` connections to trusted peers
+ This is significantly less a concern if you make `-addnode` connections to trusted peers
(even if they're onion addresses). It's also alleviated with IPv4/IPv6 (especially when using the -asmap
configuration option) due to the cost of obtaining IPs in many networks. |
|
Yes, that change should be made, thanks! |
|
tiny nit |
- Tor bridges - Disable listening for max privacy - Torsocks - `onlynet=onion` trade-offs - Deleting `onion_v3_private_key` not best practice
| If you are in an environment that does not permit direct Tor connections or the use | ||
| of Tor bridges, then considering the trade-offs, it may not be safe to use Tor. | ||
|
|
||
| - For maximum privacy, it is preferable to disable accepting incoming connections. |
There was a problem hiding this comment.
This seems like bad advice. Incoming connections should be encouraged, and any potential privacy risks addressed.
There was a problem hiding this comment.
Bitcoin Core behind a tor proxy with no incoming connections is better for privacy in comparison to listening over Tor IMO. It was suggested by @gmaxwell and reviewers(Sipa and Jonatack) in previous PR had no issues with it:
There was a problem hiding this comment.
Both of these appear to be talking about security, not privacy. And not as general advice, but as super-paranoia.
There was a problem hiding this comment.
This comment by Sipa specifically mentioned privacy: #21157 (comment)
There was a problem hiding this comment.
re: not encouraging this setting; I think the section on Sybil Attacks and Network Partitioning covers that, right?
There was a problem hiding this comment.
I think many users will read this and go "oh good, I want maximal privacy, so I'll disable listening." IMO the statement as it is, and placed where it is, lacks nuance and context. Privacy is a slippery and multifaceted thing with a number of tradeoffs; I'm not sure that discussion should be in this doc, but it probably should be if advice like this is given in the repository, as any such advice here might be seen as a reference.
There was a problem hiding this comment.
Also, some of the thoughts here may also pertain to other privacy networks, e.g. I2P and perhaps others at some point like CJDNS. Should there be privacy recommendations in each doc, or rather in one place (doc/privacy.md?) that interrelates between the networks.
There was a problem hiding this comment.
IMO the statement as it is, and placed where it is, lacks nuance and context
Agree
I'm not sure that discussion should be in this doc
- This doc had a section for privacy recommendations
- I am trying to share few things that I learnt during different conversations about privacy, relevant to this doc and can help others
as any such advice here might be seen as a reference
They should be used as reference. I had two options when I started researching about these things:
- Share my thoughts and discuss on social media about it. Few people will read it and forget it.
- Create a pull request with basic things that can be added, discuss with PR reviewers and help more users know about it in a better way.
I think 2 works better.
Example: Deleting onion_private_key is mentioned on multiple websites: Bitcoin Wiki, Bisq Wiki etc. Editing every wiki, commenting on each social media post, etc. will take lot of time and people will still believe what they read in docs and not me.
Should there be privacy recommendations in each doc, or rather in one place (doc/privacy.md?) that interrelates between the networks.
I think i2p and Tor have few similarities and differences. It's better we have separate docs and maintain privacy recommendations separately but have no issues with doc/privacy.md suggestion. I have added few things in a different repository used by lot of people to learn Bitcoin from command line:
| The `onlynet=onion` configuration option can potentially ensure the node attempts to only | ||
| connect over Tor. It is more private when you combine it with no reachable IPv4/IPv6 address, | ||
| in particular if you want to broadcast transactions without them being correlatable with your IP. |
There was a problem hiding this comment.
This is bad advice. Tor is a centralised network, and using it as your only network puts the user at risk for no benefit. It isn't more private, as it doesn't do anything to stop the "cookies" (UTXO/address relationships) Bitcoin wallets need to work.
There was a problem hiding this comment.
I think 'more private' here is a comparison between onlynet=onion and onlynet=onion + bind=onion. This was suggested by @sipa in #21157 (comment)
There was a problem hiding this comment.
I relate to Luke's feedback and am a bit uncomfortable with the lines of advice he points out; maybe they could use more nuance and context. Otherwise, they seem likely to be misinterpreted or followed somewhat blindly.
There was a problem hiding this comment.
maybe they could use more nuance and context
Agree
ghost
closed this
86a4a15 Highlight DNS request part (Prayank) Pull request description: _What?_ Highlight DNS requests part in Proxy section _Why?_ 1. DNS requests are very important while considering privacy 2. Lot of users might skip reading it because of the way it is mixed with everything else in the doc right now 3. I have seen lot of users ignoring DNS requests or unaware of such things while using privacy tools _How?_ Initially I had tried keeping these lines separate from code block but [Jonatack didn't agree with the changes](bitcoin/bitcoin#21157 (comment)). Harding suggested using [bold/italic in `<pre></pre>`](bitcoin/bitcoin#21157 (comment)). I have used the suggestions from previous PR and added `---` This is a part of alternative described in bitcoin/bitcoin#22316 ACKs for top commit: jonatack: ACK 86a4a15 Rspigler: ACK 86a4a15 achow101: ACK 86a4a15 RiccardoMasutti: ACK 86a4a15 lsilva01: ACK bitcoin/bitcoin@86a4a15 kristapsk: ACK 86a4a15 theStack: ACK 86a4a15 Tree-SHA512: a4fe0e8c08df330e5ca78ce19ce74be7034c653f4374469d928908847a6debf385283e3a6da66de600566c7bab6290ccd35df26864aef94cbb3f294123391437
86a4a15 Highlight DNS request part (Prayank) Pull request description: _What?_ Highlight DNS requests part in Proxy section _Why?_ 1. DNS requests are very important while considering privacy 2. Lot of users might skip reading it because of the way it is mixed with everything else in the doc right now 3. I have seen lot of users ignoring DNS requests or unaware of such things while using privacy tools _How?_ Initially I had tried keeping these lines separate from code block but [Jonatack didn't agree with the changes](bitcoin#21157 (comment)). Harding suggested using [bold/italic in `<pre></pre>`](bitcoin#21157 (comment)). I have used the suggestions from previous PR and added `---` This is a part of alternative described in bitcoin#22316 ACKs for top commit: jonatack: ACK 86a4a15 Rspigler: ACK 86a4a15 achow101: ACK 86a4a15 RiccardoMasutti: ACK 86a4a15 lsilva01: ACK bitcoin@86a4a15 kristapsk: ACK 86a4a15 theStack: ACK 86a4a15 Tree-SHA512: a4fe0e8c08df330e5ca78ce19ce74be7034c653f4374469d928908847a6debf385283e3a6da66de600566c7bab6290ccd35df26864aef94cbb3f294123391437
9 participants
onlynet=oniontrade-offsonion_v3_private_keyis not one of the 'best practices'I have divided #21157 in 3 parts (Alternative to PR 21157):