Why re-use onion address?


#1

Was it a design choice to re-use the onion address? Is it necessary?

I ask because it is more private and secure for users if Bisq doesn’t ever know or store the private key (see DiscardPK option in Tor control-spec.txt).


#2

atm, the onion address, which is indeed public, helps to establish a reputation for a trader.
I’m not sure about other information which could be used instead ?

Notice however that you can easily change your onion address at any moment by creating a brand new Bisq directory.

If you have precise ideas about interesting changes on this topic (or another), you are welcome to open an issue on Bisq’s github ( https://github.com/bisq-network ) or even make a proposal.


#3

Thanks for answering. That’s exactly what I was looking for.

I may make a Github issue about this as I now think it’s an even bigger security risk. The onion address is used for reputation and the privkey can be read by any other software with access to ~/.local/share/, and then used to imposter.


#4

I agree, it would be good to have reuse onion address only as an option in Bisq, if there are no other technical issues, so users can choose.

As Homrad says, there are some benefits to it, like reputation, but it would be cool if you could automatically regenerate a new address for each trade, if you wish.

I am not sure about it being a specific security issue, since regeneration of new addresses would still leave private keys exposed to programs with access to the data directory. We would have to encrypt the private key like we encrypt the wallet to fix that.


#5

I think lnd uses some unique data to the users wallet to generate a node id, maybe Bisq could do something similar as an identifier.

If the flag DiscardPK is included in the ADD_ONION command then Bisq will never know the private key. From the Tor control spec:

"DiscardPK" / ; The server should not include the newly generated
private key as part of the response.

So a normal exchange between Bisq and the Tor control port begins like this:

AUTHENTICATE 
250 OK
SETEVENTS CIRC WARN ERR
250 OK
GETINFO net/listeners/socks
250-net/listeners/socks="127.0.0.1:9050" "unix:/var/run/tor/socks"
250 OK
ADD_ONION NEW:BEST Port=9999
250-ServiceID=oi5agyo3enlcz2v3
250-PrivateKey=RSA1024:MIICWwIBAAKBgQCuMbZgGI6OwFPku3Gs+MzqZ0cr2eRn/Be7zjR+LhAtNBnq3LrlYEk2jR3SBIbWSfwsznmUwu4uvlOxwElcggvAe4Un8bQQ73Tf14LFNsa9tCulqBlZj6rwu5CLqHLMWkYjI5/24m9NAn1jz1zLZ0ZlsMGBEeTX6cBj2kInwGQDiQIDAQABAoGAamqaVOiLpq/eUJ0mnBo+7XB8rVBm1hPO1//oV7GCVms+7hk84EZLU9UwA46aZS07ro/Q/M19PvctICktaCNWU5WwXbKJyZDHVr3A8hyYA2Kh6E6BbKaltRLLEo1KPPHXR+hMttAyJoMUvoClG/gjQKnTgqIXjisIYSc41sGM2WUCQQDbKZWUjjD8KwTmYliE5qMBgT/KvCKGt/j2tg9qshx2tkcXxFaAEuQUZWEWAIKNwM04ixX/LFD2HIVXCmvZO4qHAkEAy3ksg1l5cxTQH11CP1f/+rMTN/Akx4XD2ihZrCeAoTWGiNUuN+kvFnH6Y9x7Z/lptYmBpzdBmqZumXTWBTM1bwJAJ6QX6Czn81ScqEc1l6RX65fDQBpTbGauY4F+vF/HAjnqFgRvWO8RzhagPuiMtLMg649MxUDwy/NQsvOxmjNI1QJAZHS6yU6Pa4XHCvUcE/H6a2emAWQKhIdCHp71Rs1p8C1g8oVtgCUcHlS/bjYYp0i4K+xrmobpWNT6ncDVOVQC+QJAR0/7f9gKk2PYgbumPyE5IwQPdga7Cgrx3UMJti+tZpyWkB1pAoH7k6375+tybMFrMUHalUJXDwvK52iVIXJeAg==
250 OK

With DiscardPK it looks like this:

AUTHENTICATE
250 OK
ADD_ONION NEW:BEST Port=9999 Flags=DiscardPK
250-ServiceID=yakvk6o3e63nwf7b
250 OK

#6

Well that would be worse for privacy, I guess, then just using an onion address that could be at least manually changed. If it was bounded to the wallet, it would be able to identify the trader as long as he uses the same wallet and it is easier and safer to generate new onion addresses and discard the old ones than to create a new wallet and discard the old wallet.

It seems like you know quite a bit about Tor which devs might find useful, please consider joining Slack for dev discussions in future. Although it seems like Bisq is currently migrating from Slack to rocket.chat.

Currently Bisq is only communicating with it’s own tor daemon that only has user privileges. I am not sure about any of this, but it makes sense to me that Bisq’s tor daemon has to keep a private key somewhere in order to run a hidden service and since it is never run as root, it can only place them in the data directory.

In the new release, that is currently in testing, Bisq will be able to use external tor daemon as well, in which case I would assume this info would be very useful to devs, if not already taken into account.

As I said, perhaps the Slack channel or GitHub would be a better place to talk to the devs, since they don’t always visit forum regularly.