-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calling blockchain providers leaks IP. #522
Comments
Yes that is on the todo list as well. |
yeah, I'm looking into the bitcoinj thing, that's why I noticed this issue with blockchain providers. I saw your todo tor comment for HttpClient. Just added this issue for tracking purposes. |
Thanks. If you have time to check out how to route the http content over our tor socket would be great! |
update. It is actually very simple to route the existing HttpClient over a socks proxy. You just pass a Proxy object to the url.openConnection() call, and voila! The big problem with this approach is that DNS resolution is done locally, so it leaks IP in that fashion. Maybe not a big concern for most, but I was not satisfied. I feel like it is a much simpler story if we can just tell people that all network requests are routed over tor when Tor proxy enabled. I did a long search for solutions on the internet and it is pretty depressing actually. It boils down to, java framework does not directly support remote DNS nor any third party libraries I could find. Apache HttpClient does support socks, just not remote DNS, and I was able to find a stackexchange answer demonstrating a technique that I successfully integrated into BitSquare. I tested it, and it works fine with bitcoinaverage. That's the good news. The bad news is that poloniex uses cloudflare which puts up a captcha page whenever they detect traffic from a Tor exit node. I don't see any good way around that. And I suspect several of the other API providers may as well, though I haven't tested them explicitly. Possible solutions:
Anyway, I will go ahead and finish up the basic integration and submit that as a pull request. The code is written so that the proxying functionality can be easily enabled/disabled at runtime. |
Wow great progress! I am still very busy with the trade statistic so I cannot have a closer look. But seems the F**king cloudflare issue with Tor is a real problem. I don't want to change the price provider as that would break backward compatibility. |
Yeah, I reviewed the jsocks classes a few times. It only implements a socks proxy; there is nothing to help with the client-side tasks of sending DNS queries over the proxy or making http requests. That's true that the blockchain providers are more important. I'm not sure what yet exactly they are used for in bitsquare, or how to test without actually making trades. Anyway, it should be simple enough for me to wire them up, and then you can review when you have more time.
|
The blockchain providers are only used when the user clicks on a tx id or address. Bitsquare never connects to them by itself. The price feed providers are called automatically though. I was thinking as well on that hosted proxy, but did not follow it up for the same reason :-). |
hmm. well Utilities.openWebPage() invokes external web browser, so as far as I can see, that's not our responsibility to route over Tor. Though quite possibly should warn user!! It is the callers of HttpClient.requestWithGet that I believe this issue deals with, though I could quite possibly be missing something. Haven't done an exhaustive search yet. let's see...
FeeProvider:
PriceProvider
Ok, so I tracked down the callers of FeeProvider and it seems it is only used by CreateOfferDataModel and TakeOfferDataModel, both of which have commented out the call to requestFee. So the fee providers are not being used at all now, correct? In that case, this issue only involves BitcoinAverage and Poloniex. correct statement? |
Ah yeah, my fault, sorry... Yes the blockchain explorers are only called via web browser. So as you said a warning should be enough. |
I'm having some difficulty getting HttpClient to accept a Socks5Proxy in its constructor. This is because PriceFeed is used in many places and I can't seem to find exactly where instantiated. I guess this has to do with injection, which I'm not familiar with? I suspect the right thing to do may be to create a Singleton for Socks5Proxy. or maybe something to do with injection? I'm not really a java guy, and not sure of best approach. So if you can point me the way, or just make a Socks5Proxy singleton available for HttpClient, that would be helpful, and then I can wrap this up. |
Yes with guice you jus pass the object in the constructor and get in instantiated by guice. You can create a Singleton for it if that works for you. I can refactor it later using guice. |
Any new idea regardign Poloniex/Cloudflare issue? I think I will route it to non-proxy if the bitsquare proxy is used and display a popup with info. If the user has setup an external proxy i dont route non-proxy. Worst case the dont get price feed id he use external Tor proxy, but there is no really point to use an external tor proxy as it will behave the same like the internal. Though if the user uses other proxies (i2p,...) he might have luck to get over f**cking cloudflare. |
I pushed to Dev branch. If you like you can check it out and test if all works. I did not test much yet... |
Browsing through the source code I noticed that calls to API providers are not routed over Tor. This is a privacy leak.
A quick list I found:
Fee Providers: blockr, blocktrail, Tradeblock
core/src/main/java/io/bitsquare/btc/blockchain/providers/
Price Providers: bitcoinaverage, poloniex.
core/src/main/java/io/bitsquare/btc/pricefeed/providers/
The text was updated successfully, but these errors were encountered: