How is it prescribed to run Bisq through a network-isolating Tor gateway? I find no documentation. Not too many relevant forum post, except this old one. Bisq --help show nothing useful, only socks5 proxy for Bitcoin network (not Bisq P2P/onion).
It is my policy. No userland application except Tor daemon, other basic services, can ever know my “real” IP address. Also no network application gets unfiltered Tor control port access. All network application sit on unroutable private IP, behind firewall and Tor gateway. I laugh at talk about “leaks” around Tor, it’s impossible for me. Even compromised application cannot compromise privacy.
I am not the only one. Qubes/Whonix is popular way to make this work, “out of the box”/userfriendly. There are many ways to make this work, even physical hardware isolation.
An architectural rule: Bundled Tor is only userfriendly convenience, as with Tor Browser. Privacy-serious users always run separate daemon with network isolation, it’s the only right way to do it.
Please help with advice to make Bisq run behind isolating Tor gateway, with no possibility of “Tor over Tor”. I am new to Bisq, not to networking.
I like that you take your privacy seriously. I am pretty sure that we are all happy to hear that here
Unfortunately there is no option to use Bisq without the bundled Tor currently. We do agree that it is a good and important feature, but Bisq devs are busy with the DAO and everything now as decentralization is in focus right now. It will be added eventually tho.
Some new Tor options were added in the latest major release allowing people to connect in countries where Tor is blocked, but no option to turn it off completely, the risk of people misusing it was probably too high and benefit was probably not that apparent at the time.
Be sure that more advanced Tor options are on the roadmap tho
Thank you for your reply. I did search Bisq repository issues before posting! I didn’t see that netlayer issue. (I didn’t know Bisq dependencies, because I’m not familiar with Maven… had to do some digging.) I replied there. I want to draw attention to one thing I said:
In case of Tor security vulnerability, power user with system Tor can update much quicker than Bisq and its dependencies can release new package. This is not hypothetical concern. Yesterday was released fixes for TROVE-2017-009/CVE-2017-8819 and TROVE-2017-013/CVE-2017-8823. Both affect v2 onion service, used by Bisq. TROVE-2017-013 is severity “High”, use-after-free. Reporter of that bug crashed Tor while running Ricochet, another Tor bundler (obviously not through netlayer). All onion service tors should be updated immediately. Is netlayer’s tor-binary updated yet, so Bisq can release update?
Besides all else I said before, I think this is another good reason to separate Tor from the application.
Thanks for the info! Of course, footgun is a concern. But then, I recommend to set Tor settings should be not too easy. Compare: Proper use of Tor Browser with external Tor require user set environment variables. It’s actually too hidden. But any user who knows what “environment variable” is and how to set it, is competent to make own decisions… or take responsibility of shooting self in foot.
The benefit in this arrangement is, packagers can do it easily with a shell script. Example, for Tails, Whonix, etc.
Point/click GUI “disable internal Tor” checkbox is not needed. Wasted development effort.
Also note, I do not suggest to make Bisq work without any Tor at all. This is logically impossible anyway, due to use of .onion. Only make Bisq use SOCKS5 for outgoing P2P, Tor control ADD_ONION to set its own address. (Control port use should be restricted to ADD_ONION, because security conscious user will filter it.) This is exactly how works, for example, Bitcoin Core - when properly configured for isolated network behind Tor gateway.
Thanks for all your input! Please discuss with the dev behind netlayer how an what would be the best feature design.
We don’t have dev resources atm free for that but would appreciate any dev who can work on that!
The bundled Tor need to stay as well because many users are not that tech savvy to set up a local Tor or don’t have Tor installed at all. But with a simple prog arg and/or UI settings it should serve for both types of users.