Blockchain.info Adds Additional Tor Security Features to Head Off Man-In-the-Middle Attacks
Tor may not have had the best past couple of months, with news releasing late in the summer that, with enough work, someone could theoretically discover user identities.
Tor may not have had the best past couple of months, with news releasing late in the summer that, with enough work, someone could theoretically discover user identities. Things got worse about a month later when news broke that it appears someone did do the work, and that the “someone” appears to be government agencies.
Still, Tor is a valuable tool in fighting surveillance. It won’t thwart a dedicating snooping agency or even a skilled hacker on its own, but it is still magnitudes more secure than traditional browsers.
Blockchain.info has launched a hidden Tor service site with an impressive 10-digit-long vanity address—https://blockchainbdgpzk.onion/—along with an SSL digital certificate issued by DigiCert, which is only the second of its kind for a Tor Hidden Service. (The first was for Facebook’s recently launched Tor service.) Additionally, the entirety of blockchain.info—both its clearnet and onion sites—are HTTPS-enforced with additional Strict Transport Security (HSTS) and Public Key Pinning (HPKP) security measures.
Nik Cubrilovic, who is currently working on an unnamed startup and previously wrote for TechCrunch, helped blockchain.info set up their onion address. He has a long write up on why they did it and how. If you enjoy all the technical details, it is a juicy read and absolutely worth taking the time to check out.
If technical details scare you, the short of it is that users who were accessing Blockchain.info through Tor were being subject to man-in-the-middle attacks and were having their Bitcoin stolen. A malicious party would emulate a Tor node and switch the connection to an unencrypted HTTP connection. The attack depended on the user not noticing that the connection was no longer secured, and continuing as normal, giving the thief or thieves access to the user’s login information. In some cases, the malicious party would change the icon next to the web URL to emulate an SSL lock, making it so that the only tip-off that a user was no longer on the actual blockchain.info site was that the address started with HTTP rather than HTTPS.
The blockchain.info vanity addresses are particularly interesting. Tor web addresses are created using a method similar to the one used to create Bitcoin addresses. (Actually, there are a few more steps involved, but fundamentally, they both use public keys and encryption to generate a random string of letters and numbers.) Blockchain.info and Cubrilovic managed to create an impressive 10-digit-long vanity address by randomly generating them until they got one that started with blockchain. He stated that it took a large cluster of GPU Amazon web servers running for roughly 40 hours at a top hashrate of just under 10,000 MH/s to achieve the name. Assuming it was generated in the same fashion as Facebook’s vanity onion address, they must have generated thousands of addresses until they found one that started with the word “blockchain.” All .onion addresses must be exactly 16 characters long, which accounts for the random string of letters after “blockchain.” Facebook only had eight digits to get correct and once they had a few URLs that started with Facebook, they were able to pick the most memorable among them.
Blockchain.info, perhaps because of the added complexity of the two additional digits, does not appear to have done this, as the proceeding letters seem to have no meaning.
While there will likely never be a silver bullet that kills off Bitcoin-focused thefts and hacks, increased security measures like this could go a long way toward improving Bitcoin’s image around the web. In addition, seeing more legitimate services added to Tor could help reduce some of the stigma that has been created around using privacy-minded tools.
Did you enjoy this article? You may also be interested in reading these ones: