-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Encrypt or remove saved trader chats and trade data on local Bisq instances #5396
Comments
Yep. As per chat, completely agree. I'd want my trade info encrypted, and after period of time ideally removed from as well. |
The persistence subsystem in Bisq is tricky and I would like to get @chimp1984's opinion about this topic. Would be great if he could write a quick dev spec, sharing opinions on how it would best be tackled. One thing that sprang to mind is that if the user changes his onion address, there will have to be coordination with the encryption mechanism so that user is not permanently locked out of his own data. Currently all database is clear & unencrypted on user's own drive except for Mailbox/ProtectedStorage. When spec'd I would be interested in tackling an implementation possibly in collab with @BtcContributor. |
I think the benefits/costs have to be considered. No strong opinion here, but I guess there are more important and easier to achieve improvements. Some considerations:
Not saying it should not be done, just that it is not trivial and comes with some risks and complexities. |
👍 |
Would it be possible to keep the files unencrypted but only keep trade data / chats for a period of 30 days following trade moving to history or failed? I appreciate the encryption aspect might come with risks and complexities, but is there another way of achieving user privacy and reducing the risks of a instance of Bisq with lots of data on it being compromised. |
Yes that might be a good compromise and even more effective as encryption does not prevent that the data might get revealed any time later. Should not be too hard to check at some interval for historical data and prune private data out of it. |
I would not encrypt my bisq, because I already encrypt my whole system. And a bisq database with years of collected trading peers, will become more and more dangerous. As power user with a large database with many trading peers, I already had the same thinking and I feel the danger if such a database becomes compromised. |
Thanks @Xa5r for the helpful comments. Seems like leaving the files unencrypted but only having data being available for a limited time is a good solution. Maybe start at sensitive data being removed after 365 days from traders, mediators and arbitrators Bisq instances. Would this be an acceptable solution? |
Why so long? A year is a lot of sensitive exposed trading data. The shortest period of time acceptable? How do we guarantee destruction/removal? |
I would be happy with keeping the trade data for the minimum amount of time possible. On a couple of occasions I have had to access trade data over 1 month old due to payout transactions not confirming. Maybe @leo816 @huey735 and @refund-agent2 can let us know what would be the recommend amount of time needed to keep the trade data. |
We could use the confirmations of the trade payout tx to see if a trade is really completed. Once that has sufficient confirmations there is not much reason for a need to access the data. |
Thanks @chimp1984, this all sounds good to me. I understand it is not full proof, but it would result in a lot less sensitive trade data being on users Bisq instances. |
Adjustable scale if there's a broad range of acceptable times by use case.
But choice as well. If I want it a week, or all acceptable trades after they are done, if I get a notification/warning I won't be able to seek escalation, accept that, then so be it.
…________________________________
From: pazza ***@***.***>
Sent: Thursday, April 22, 2021 5:58:42 AM
To: bisq-network/bisq ***@***.***>
Cc: Conza ***@***.***>; Comment ***@***.***>
Subject: Re: [bisq-network/bisq] Encrypt or remove saved trader chats and trade data on local Bisq instances (#5396)
Thanks @chimp1984<https://github.com/chimp1984>, this all sounds good to me. I understand it is not full proof, but it would result in a lot less sensitive trade data being on users Bisq instances.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#5396 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMMLWYWUBCWJMV5J7PAMFT3TJ4U7FANCNFSM42NNRC6A>.
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Please revert, stale bot. Still relevant. |
Relevant incident in Bisq Community Forum for why this is important. |
Must rectify
…________________________________
From: pazza ***@***.***>
Sent: Friday, January 28, 2022 6:34:14 AM
To: bisq-network/bisq ***@***.***>
Cc: Conza ***@***.***>; Comment ***@***.***>
Subject: Re: [bisq-network/bisq] Encrypt or remove saved trader chats and trade data on local Bisq instances (#5396)
Relevant incident in Bisq Community Forum<https://bisq.community/t/had-recently-a-raid-and-the-police-got-infos-from-many-bisq-traders/11353/5> for why this is important.
—
Reply to this email directly, view it on GitHub<#5396 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AMMLWYXJZY52U76URQYE5ELUYGM3NANCNFSM42NNRC6A>.
You are receiving this because you commented.Message ID: ***@***.***>
|
Commenting to say that removal of trader chats are still to be addressed |
Description
I have created this issue from the discussion on the Bisq community for forum Is trader chat saved?.
Currently the following information is avlaiable on users local Bisq instances
I am unsure what trade information is unencrypted on mediators' or arbitrators' Bisq instances.
Having trade chats and trade data saved on local Bisq instances is a security concern for both traders and everyone they have traded with.
Having trade chats and trade data saved on mediators' or arbitrators' Bisq instances is a security concern for everyone they have mediated / arbitrated.
Traders with lots of trades, mediators and arbitrators will end up being a centralized source of unencrypted data. This puts users of Bisq at risk.
Version
v1.6.2
Steps to reproduce
open \Bisq\btc_mainnet\db\
There might be more. I have not checked all the files for unencrypted data.
Expected behaviour
Chat and trade data to be encrypted.
Not sure if there should be a time limit for how long this data is kept?
Actual behaviour
Chats and trade data are stored unencrypted.
Screenshots
Taken from: https://bisq.community/t/is-trader-chat-saved/10539/14
The text was updated successfully, but these errors were encountered: