[bisq-network/bisq] Security risks with re-use of onion address (#2005)

Fri Nov 30 12:37:50 UTC 2018

About the reputation: I think the onion address of the hidden service has been chosen because it is readily available and no further thought has been put on this. There is, however, a non-written plan to eventually use the private_key itself for identifying the user and her reputation (@ManfredKarrer) in order to support other networks as well (#1397). However, switching to the private_key makes no difference here as the onion-address is derived from the private_key.

In general, a reputation of some sort does require a unique identifier, there is no way around. And the reputation (to my knowledge) gives the Bisq users a tool to judge whether the trading partner is going to fulfill her part in a fast and correct way (very similar to, for example, PGPs trust network).

If a user wants to stay completely anonymous and therefore, no reputation data is available, she may have difficulties finding trading partners. Hence, if the user wants to stay anonymous, she has to accept that other people may not trust her.

Aside from that: Given, the private_key is stored somehow encrypted (AES, RSA, ...):
- which key should be used to encrypt?
- And more importantly, how can we store or derive such a key that an attacker, who has access to `~/.local/share`, cannot reproduce the key? 
- and yes, there is passwords. However, to keep the private_key protected, we cannot allow "remember password" as we then would have to store the password on disk. Hence, the password has to be entered everytime from scratch. So if a user is concerned about her home directory getting attacked, he would have to accept this inconvenience (and probably store the password in a textfile on her desktop).

### technical feasability

considering #1056 and its preparation work (#2009 ff.), we already have a solid base for the onion address being changed everytime Bisq is run. One hidden service per trade, however, remains a challenge...

### all in all
- we could add a switch to start Bisq in "use fresh onion-address"-mode.
  - via command line parameter: Make it a shortcut and you are set.
  - settings
- we could add a password with all its trappy nature
- so we can let the user decide, whether she wants privacy or convenience

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/issues/2005#issuecomment-443191431
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20181130/15391767/attachment.html>