[tor-dev] Per-peer stream isolation for Bitcoin clients

teor teor at riseup.net
Thu Jun 27 21:53:54 UTC 2019

Hi Jeremy,

> On 28 Jun 2019, at 06:35, Jeremy Rand <jeremyrand at airmail.cc> wrote:
> 2. Per-peer stream isolation prevents a single exit relay from feeding
> the user a chain that's not the longest chain, so it's desirable from a
> Bitcoin security point of view.

Tor itself uses 3 directory guards to make sure that one guard can't
feed it bad data.

If you use one exit, and it happens to be malicious, all your peers are
accessed via that bad exit.

But if you use 8 exits, then it's very unlikely that all of them will be
malicious in exactly the same way. But it makes it 8x more likely that
any one of your exits will be malicious.

It's also worth using multiple circuits for redundancy, so a single exit
can't deny service all 8 of your peers. (As noted on the pull request.)

So it's a tradeoff, based on the protocol. For example:
* If you were mainly worried about exploits, then you'd want one exit.
* If you are worried about short chains or denial of service, then you'd
  want many exits.

If you don't know which one to choose, follow Tor Browser, which uses
many exits.

(The right way to deal with exploits is to fix those bugs, and use coding
practices that make them less likely.)

> 3. Per-peer stream isolation would mean more potential for one of the
> circuits being deanonymizable, via traffic analysis etc.  It's not clear
> to me whether this amount of increased circuits is harmful, or how it
> compares to other common usage of Tor such as Tor Browser (which uses
> first-party stream isolation, so a user with a lot of tabs open may very
> well have 8 or more circuits in use at once).

It's not quite that simple:

If you send traffic from all 8 peers over one circuit, then a pattern might
be visible on you client to guard, and exit to internet connections. That
pattern makes correlation easier.

Using 8 circuits splits the traffic pattern across 8 different exit locations
on the internet, so correlation is harder.

I'd follow Tor Browser on this one, too.

> 4. Per-peer stream isolation puts more load on the Tor network.  It's
> not clear to me whether this increased load (8 circuits instead of 1) is
> so much that it's harmful.

Every Tor client tries to keep 6+ pre-emptive circuits open, so that new
requests have lower latency. So you're really looking at doubling your
circuit load, not multiplying it by 8.

Once the circuits are built, there's not much extra load splitting the
streams across 8 circuits, because it's already split into streams and
cells within the protocol.

And you're right, Tor Browser can use lots more than 8 circuits, so
I wouldn't worry about it.

Do you know how much load Bitcoin places on the Tor network?

If it's a lot, one good answer is to encourage users to run relays,
or to donate to organisations that run relays. (Or donate to Tor,
so we can make the network more efficient.)


More information about the tor-dev mailing list