summaryrefslogtreecommitdiff
path: root/75/e03aa69a2eca943dd4569b6b9df604f0c64a92
blob: 1b5d01d56a9d06d83953c1e0b17470fe6ae2a7e3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
Return-Path: <kristovatlas.lists@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id D6C4A7AD
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 30 Aug 2015 19:45:09 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ob0-f180.google.com (mail-ob0-f180.google.com
	[209.85.214.180])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 396D4195
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 30 Aug 2015 19:45:08 +0000 (UTC)
Received: by obkg7 with SMTP id g7so76520870obk.3
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Sun, 30 Aug 2015 12:45:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=sMpbDpumBETRzIBWrpLbo7Z2JHrsFuiJsKQ0TtVTbas=;
	b=Vdm5I6iy9xZwfvofKDxInfjCWK7HFvk5AJfF+dQp0OK5qfX7i22hpAm3mpoHBy5krD
	C64KOSnx2xfumuCLdoOs9uesVqmIhBm7b1EVZSCOq3PNm93Rb0RE7RWUuq4nWjqVTkNq
	FrlV6tlsZuo/ui8/1ArZwef46/cC7RK9FErhfBRRjxwfiPUYnI/l2yeYb7Okozo9YkR4
	yLjGgvOjRGzlZmLlEWv1a+BaKRfYQSJBpxLAwr5IHDIaDEE1ywr1YWGP9I4MOS+O4kFf
	96NxhmoJDAVsH6pTz+AUc4WIuGhOl2V2TA+Q3h8qc3rDE217sYD3X6Qx6mSAoAuDx+nK
	+hzQ==
MIME-Version: 1.0
X-Received: by 10.60.45.104 with SMTP id l8mr12206621oem.61.1440963907438;
	Sun, 30 Aug 2015 12:45:07 -0700 (PDT)
Received: by 10.202.183.215 with HTTP; Sun, 30 Aug 2015 12:45:07 -0700 (PDT)
In-Reply-To: <b0813349d690442d6ef3961748d1c9fb@openbitcoinprivacyproject.org>
References: <b0813349d690442d6ef3961748d1c9fb@openbitcoinprivacyproject.org>
Date: Sun, 30 Aug 2015 15:45:07 -0400
Message-ID: <CAGH37SLB2bsSCzC1+u-L6v1bQ305MLvDE2uXHVGCy7y61mE5bQ@mail.gmail.com>
From: Kristov Atlas <kristovatlas.lists@gmail.com>
To: wei@openbitcoinprivacyproject.org
Content-Type: multipart/alternative; boundary=089e0149ce38d65ff1051e8c8d1e
X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_LOW
	autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Open Bitcoin Privacy Protect Privacy
 Questionnaire, Mid-Year 2015 report
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Development Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Aug 2015 19:45:10 -0000

--089e0149ce38d65ff1051e8c8d1e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Wei,

As you know, I'm not a developer of Bitcoin-Qt, but we'll need to make our
best guesses for these answers if the developers won't reply. I'm going to
post my best guesses here so that people reading the list have a short
window of opportunity to correct me if they wish.


On Fri, Aug 7, 2015 at 2:46 PM, Wei via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:

>         Transaction Formatting
>
> 1.      Does your application take any steps to create ambiguity between
> transactions which unavoidably spend from multiple addresses at the same
> time and intentional mixing transactions?
>

No, Bitcoin-Qt does not try to make non-mixing transactions look like
mixing transactions.


> 2.      What algorithms does your application use for ordering inputs and
> outputs in a transaction? In particular, how do you handle the change
> output and do you take into account common practices of other wallet
> applications when determining ordering?
>

Not yet BIP 69. These notes suggest that outputs are randomized:
https://bitcoin.org/en/release/v0.8.1


> 3.      Does your application minimize the harmful effects of address
> reuse by spending every spendable input (=E2=80=9Csweeping=E2=80=9D) from=
 an address when a
> transaction is created?
>

Unknown

4.      Does your application fully implement BIP 62?
>

Here's a detailed answer on stack exchange:
http://bitcoin.stackexchange.com/questions/35904/how-much-of-bip-62-dealing=
-with-malleability-has-been-implemented

By item, my extremely brief interpretation:

Non-DER encoded ECDSA signatures: BIP66 soft fork has happened, so this is
presumed to be implemented
Non-push operations in scriptSig: Implemented
Push operations in scriptSig of non-standard size type: Implemented in 0.9.=
0
Zero-padded number pushes: Implemented in 0.10.0 (current available version
is 0.11.0)
Inherent ECDSA signature malleability: ...implemented?
Superfluous scriptSig operations: implemented 0.6.0
Inputs ignored by scripts: Only partly addressed by 0.10.0.  It appears
that the rest would require changes to consensus rules, so Bitcoin-Qt is as
compliant as it can be.
Sighash flags based masking and New signatures by the sender: Can't be
implemented without changes to consensus rules.

I would summarize this as a "yes."


>
> Mixing
>
> 5.      If your application supports mixing:
>

It doesn't. There's an issue for CoinJoin here:
https://github.com/bitcoin/bitcoin/issues/3226


> a.      What is the average number of participants a user can expect to
> interact with on a typical join transaction?
> b.      Does your application attempt to construct join transactions in a
> way that avoids distinguishing them from non-join transactions?
> c.      Does your application perform any kind of reversibility analysis
> on join transactions prior to presenting them to the user for confirmatio=
n?
> d.      Is the mixing technique employed secure against correlation
> attacks by the facilitator, such as a CoinJoin server or off-chain mixing
> service?
> e.      Is the mixing technique employed secure against theft of funds by
> the facilitator or its participants?
>
> Donations
>
> 6.      If your application has a fee or donation to the developers
> feature:
>

No donation feature last time I checked.


> a.      What steps do you take to make the donations indistinguishable
> from regular spend in terms of output sizes and destination addresses?
>
> Balance Queries and Tx Broadcasting
>
> 7.      Please describe how your application obtains balance information
> in terms of how queries from the user=E2=80=99s device can reveal a conne=
ction
> between the addresses in their wallet.
> a.      Does the application keep a complete copy of the blockchain
> locally (full node)?
>

Yes


> b.      Does the user=E2=80=99s device provide a filter which matches som=
e
> fraction of the blockchain while providing a false positive rate (bloom o=
r
> prefix filters)?
>

No, it just downloads the whole blockchain and performs local queries.


> i.      If so, approximately what fraction of the blockchain does the
> filter match in a default configuration (0% - 100%)?
>

100%, unless a user bootstraps downloading the blockchain. Bootstrapping
will potentially limit the user's anonymity set to other people who have
downloaded that bootstrap.dat file.


> c.      Does the user=E2=80=99s device query all of their addresses at th=
e same
> time?
>

N/A


> d.      Does the user=E2=80=99s device query addresses individually in a =
manner
> that does not allow the query responder to correlate queries for differen=
t
> addresses?
>

No. Just download blocks and processes that information locally.


> e.      Can users opt to obtain their balance information via Tor (or
> equivalent means)?
>

If Tor is set up as a SOCKS proxy, you can configure Bitcoin-QT download
the blockchain and broadcast txs through a single Tor circuit. This can be
configured once before opening Bitcoin-Qt.

8.      Does the applications route outgoing transactions independently
> from the manner in which it obtains balance information? Can users opt to
> have their transactions submitted to the Bitcoin network via Tor (or an
> equivalent means) independently of how they obtain their balance
> information?
>

No, you can only configure a single proxy.


> 9.      If your application supports multiple identities/wallets, does
> each one connect to the network as if it were completely independent from
> the other?
>

No built-in support for multiple identities. You can hotswap wallet files
to crudely simulate this. You'd have to manually change the Tor connection
outside of Bitcoin-Qt to create the effect of making the network
connections independent.


> a.      Does the application ever request balance information for
> addresses belonging to multiple identities in the same network query?
>

Blocks are downloaded and tx broadcasts received/relayed rather than
querying the utxo set for a particular address. When swapping between
wallet files, some information may be leaked e.g. the client may be at the
same block height in terms of what it has downloaded from the p2p network,
which may leak to global passive adversaries/AS's or sybil attackers the
fact that a single client was used for multiple wallets.


> b.      Are outgoing transactions from multiple identities routed
> independently of each other to the Bitcoin network?
>

Transactions from multiple identities would not be routed at the same time.
I'm not clear what happens if you have a single wallet (identity) open and
then open a new wallet (identity) without closing Bitcoin-Qt -- some of the
same routing paths may still be used such that an attacker might observe
transactions broadast signed by private keys from multiple wallets
(identities) and observe that they appear to come from the same wallet
client. OBPP should assume the worst unless prevented contrary evidence.


> c.      When an identity/wallet is deleted, does the deletion process
> eliminate all evidence from the user's device that the wallet was
> previously installed?
>

Identity is primarily tied to a wallet.dat file. Deleting it will remove
most of the evidence that the wallet was installed on that device, but
there may be some extra information in ancillary files that should also be
deleted.  This is an OS-level function, as there is no operation built into
the client to delete a wallet file (identity).


>         Network Privacy
>
> 10.     When a user performs a backup operation for their wallet, does
> this generate any automatic network activity, such as a web query or emai=
l?
>

No. Backups are local, and no email or SMS is linked. No web queries
related to backup.


> 11.     Does your application perform any lookup external to the user=E2=
=80=99s
> device related to identifying transaction senders or recipients?
>

No


> 12.     Does you application connect to known endpoints which would be
> visible to an ISP, such as your domain?
>

Yes, some connections to known p2p full nodes to bootstrap the connection
to the Bitcoin p2p network. This is configurable, but there are defaults.
An ISP is likely to be able to identify a customer as running the
Bitcoin-Qt client in particular on this basis.


> 13.     If your application connects directly to nodes in the Bitcoin P2P
> network, does it either use an unremarkable user agent string (Bitcoin
> Core. BitcoinJ, etc), or randomize its user agent on each connection?
>

BIP12 specifies format for user agents:
https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki

It appears that the Bitcoin-QT leaks specific information about its client
version through User Agent. This file defines the current client version:
https://github.com/bitcoin/bitcoin/blob/55294a9fb673ab0a7c99b9c18279fe12a5a=
07890/src/clientversion.h

Various other files seem to use this to build up the UA string, which is
transmitted to other peers.


>
>         Physical Access
>
> 14.     Does the application uninstall process for your application
> eliminate all evidence from the user's device that the application was
> previously installed? Does it also eliminate wallet data?
>

Probably depends on the platform. Last time I checked, I think Bitcoin-Qt
leaves behind a .bitcoin directory on most platforms even after you run an
uninstall script.


> 15.     Does your application use techniques such as steganography to
> store persistent wallet metadata in a form not identifiable as belong to =
a
> Bitcoin wallet application?
>

No


> 16.     Please describe the degree to which users can use passwords/PINs
> to protect their data:
> a.      Can the user set a password/PIN to protect their private keys?
>

You can encrypt the wallet file with a password. The wallet is "locked"
until the password is entered, preventing decryption of the private keys.


> b.      Can the user set a password/PIN to protect their public keys and
> balance information?
>

No -- any wallet.dat file can be opened and the public keys inspected
without the password.


> c.      Can the user set a password/PIN to encrypt other wallet metadata,
> such as address books and transaction notes?
>

No -- any wallet.dat file can be opened and the metadata inspected without
the password.


> d.      Does the application use a single password/PIN to cover all
> protected data, or does it allow the use of multiple passwords/PINs?
>

A single password for the wallet file.


>
> Custodianship
>
> 17.     Do you as a wallet provider ever have access to unencrypted copie=
s
> of the user=E2=80=99s private keys, public keys, or any other wallet meta=
data which
> may be used to associate a user with their transactions or balances?
>

No custodianship.


>        Telemetry Data
>
> 18.     If your application reports telemetry data, such as usage
> information or automatic crash reporting, does the user have the
> opportunity to review and approve all information transmitted before it i=
s
> sent?
>

No obvious telemetry data being sent.


>         Source Code and Building
>
> 19.     Can a user of your application compile the application themselves
> in a manner that produces a binary version identical to the version you
> distribute (deterministic build system)?
>

Yes, I think that's the point of the gitian stuff.

-Kristov

--089e0149ce38d65ff1051e8c8d1e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Wei,<br><br></div>As you know, I&#39;m not a devel=
oper of Bitcoin-Qt, but we&#39;ll need to make our best guesses for these a=
nswers if the developers won&#39;t reply. I&#39;m going to post my best gue=
sses here so that people reading the list have a short window of opportunit=
y to correct me if they wish.<br><br><div class=3D"gmail_extra"><br><div cl=
ass=3D"gmail_quote">On Fri, Aug 7, 2015 at 2:46 PM, Wei via bitcoin-dev <sp=
an dir=3D"ltr">&lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org"=
 target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt;</span> wro=
te:<br><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;=
border-left:1px solid rgb(204,204,204);padding-left:1ex">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Transaction Formatting<br>
<br>
1.=C2=A0 =C2=A0 =C2=A0 Does your application take any steps to create ambig=
uity between transactions which unavoidably spend from multiple addresses a=
t the same time and intentional mixing transactions?<br></blockquote><div><=
br></div><div>No, Bitcoin-Qt does not try to make non-mixing transactions l=
ook like mixing transactions.<br></div><div>=C2=A0</div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">
2.=C2=A0 =C2=A0 =C2=A0 What algorithms does your application use for orderi=
ng inputs and outputs in a transaction? In particular, how do you handle th=
e change output and do you take into account common practices of other wall=
et applications when determining ordering?<br></blockquote><div><br></div><=
div>Not yet BIP 69. These notes suggest that outputs are randomized: <a hre=
f=3D"https://bitcoin.org/en/release/v0.8.1">https://bitcoin.org/en/release/=
v0.8.1</a><br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" styl=
e=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddin=
g-left:1ex">
3.=C2=A0 =C2=A0 =C2=A0 Does your application minimize the harmful effects o=
f address reuse by spending every spendable input (=E2=80=9Csweeping=E2=80=
=9D) from an address when a transaction is created?<br></blockquote><div><b=
r></div><div>Unknown <br></div><div><br></div><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex">
4.=C2=A0 =C2=A0 =C2=A0 Does your application fully implement BIP 62?<br></b=
lockquote><div><br></div><div>Here&#39;s a detailed answer on stack exchang=
e: <a href=3D"http://bitcoin.stackexchange.com/questions/35904/how-much-of-=
bip-62-dealing-with-malleability-has-been-implemented">http://bitcoin.stack=
exchange.com/questions/35904/how-much-of-bip-62-dealing-with-malleability-h=
as-been-implemented</a><br><br></div><div>By item, my extremely brief inter=
pretation:<br><br>Non-DER encoded ECDSA signatures: BIP66 soft fork has hap=
pened, so this is presumed to be implemented<br>Non-push operations in scri=
ptSig: Implemented<br>Push operations in scriptSig of non-standard size typ=
e: Implemented in 0.9.0<br>Zero-padded number pushes: Implemented in 0.10.0=
 (current available version is 0.11.0)<br>Inherent ECDSA signature malleabi=
lity: ...implemented?<br></div><div>Superfluous scriptSig operations: imple=
mented 0.6.0<br>Inputs ignored by scripts: Only partly addressed by 0.10.0.=
=C2=A0 It appears that the rest would require changes to consensus rules, s=
o Bitcoin-Qt is as compliant as it can be.<br>Sighash flags based masking a=
nd New signatures by the sender: Can&#39;t be implemented without changes t=
o consensus rules.<br><br></div><div>I would summarize this as a &quot;yes.=
&quot;<br></div><div></div><div>=C2=A0</div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">
<br>
Mixing<br>
<br>
5.=C2=A0 =C2=A0 =C2=A0 If your application supports mixing:<br></blockquote=
><div><br></div><div>It doesn&#39;t. There&#39;s an issue for CoinJoin here=
: <a href=3D"https://github.com/bitcoin/bitcoin/issues/3226">https://github=
.com/bitcoin/bitcoin/issues/3226</a><br>=C2=A0<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">
a.=C2=A0 =C2=A0 =C2=A0 What is the average number of participants a user ca=
n expect to interact with on a typical join transaction?<br>
b.=C2=A0 =C2=A0 =C2=A0 Does your application attempt to construct join tran=
sactions in a way that avoids distinguishing them from non-join transaction=
s?<br>
c.=C2=A0 =C2=A0 =C2=A0 Does your application perform any kind of reversibil=
ity analysis on join transactions prior to presenting them to the user for =
confirmation?<br>
d.=C2=A0 =C2=A0 =C2=A0 Is the mixing technique employed secure against corr=
elation attacks by the facilitator, such as a CoinJoin server or off-chain =
mixing service?<br>
e.=C2=A0 =C2=A0 =C2=A0 Is the mixing technique employed secure against thef=
t of funds by the facilitator or its participants?<br>
<br>
Donations<br>
<br>
6.=C2=A0 =C2=A0 =C2=A0 If your application has a fee or donation to the dev=
elopers feature:<br></blockquote><div><br></div><div>No donation feature la=
st time I checked.<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex">
a.=C2=A0 =C2=A0 =C2=A0 What steps do you take to make the donations indisti=
nguishable from regular spend in terms of output sizes and destination addr=
esses?<br>
<br>
Balance Queries and Tx Broadcasting<br>
<br>
7.=C2=A0 =C2=A0 =C2=A0 Please describe how your application obtains balance=
 information in terms of how queries from the user=E2=80=99s device can rev=
eal a connection between the addresses in their wallet.<br>
a.=C2=A0 =C2=A0 =C2=A0 Does the application keep a complete copy of the blo=
ckchain locally (full node)?<br></blockquote><div><br></div><div>Yes<br>=C2=
=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
b.=C2=A0 =C2=A0 =C2=A0 Does the user=E2=80=99s device provide a filter whic=
h matches some fraction of the blockchain while providing a false positive =
rate (bloom or prefix filters)?<br></blockquote><div><br></div><div>No, it =
just downloads the whole blockchain and performs local queries.<br>=C2=A0<b=
r></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex=
;border-left:1px solid rgb(204,204,204);padding-left:1ex">
i.=C2=A0 =C2=A0 =C2=A0 If so, approximately what fraction of the blockchain=
 does the filter match in a default configuration (0% - 100%)?<br></blockqu=
ote><div><br></div><div>100%, unless a user bootstraps downloading the bloc=
kchain. Bootstrapping will potentially limit the user&#39;s anonymity set t=
o other people who have downloaded that bootstrap.dat file.<br></div><div>=
=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
c.=C2=A0 =C2=A0 =C2=A0 Does the user=E2=80=99s device query all of their ad=
dresses at the same time?<br></blockquote><div><br></div><div>N/A<br>=C2=A0=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
d.=C2=A0 =C2=A0 =C2=A0 Does the user=E2=80=99s device query addresses indiv=
idually in a manner that does not allow the query responder to correlate qu=
eries for different addresses?<br></blockquote><div><br></div><div>No. Just=
 download blocks and processes that information locally.<br>=C2=A0<br></div=
><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border=
-left:1px solid rgb(204,204,204);padding-left:1ex">
e.=C2=A0 =C2=A0 =C2=A0 Can users opt to obtain their balance information vi=
a Tor (or equivalent means)?<br></blockquote><div><br></div><div>If Tor is =
set up as a SOCKS proxy, you can configure Bitcoin-QT download the blockcha=
in and broadcast txs through a single Tor circuit. This can be configured o=
nce before opening Bitcoin-Qt.<br><br></div><blockquote class=3D"gmail_quot=
e" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204)=
;padding-left:1ex">
8.=C2=A0 =C2=A0 =C2=A0 Does the applications route outgoing transactions in=
dependently from the manner in which it obtains balance information? Can us=
ers opt to have their transactions submitted to the Bitcoin network via Tor=
 (or an equivalent means) independently of how they obtain their balance in=
formation?<br></blockquote><div><br></div><div>No, you can only configure a=
 single proxy.<br></div><div>=C2=A0</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pa=
dding-left:1ex">
9.=C2=A0 =C2=A0 =C2=A0 If your application supports multiple identities/wal=
lets, does each one connect to the network as if it were completely indepen=
dent from the other?<br></blockquote><div><br></div><div>No built-in suppor=
t for multiple identities. You can hotswap wallet files to crudely simulate=
 this. You&#39;d have to manually change the Tor connection outside of Bitc=
oin-Qt to create the effect of making the network connections independent.<=
br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
a.=C2=A0 =C2=A0 =C2=A0 Does the application ever request balance informatio=
n for addresses belonging to multiple identities in the same network query?=
<br></blockquote><div><br></div><div>Blocks are downloaded and tx broadcast=
s received/relayed rather than querying the utxo set for a particular addre=
ss. When swapping between wallet files, some information may be leaked e.g.=
 the client may be at the same block height in terms of what it has downloa=
ded from the p2p network, which may leak to global passive adversaries/AS&#=
39;s or sybil attackers the fact that a single client was used for multiple=
 wallets.<br></div><div>=C2=A0<br></div><blockquote class=3D"gmail_quote" s=
tyle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);pad=
ding-left:1ex">
b.=C2=A0 =C2=A0 =C2=A0 Are outgoing transactions from multiple identities r=
outed independently of each other to the Bitcoin network?<br></blockquote><=
div><br></div><div>Transactions from multiple identities would not be route=
d at the same time. I&#39;m not clear what happens if you have a single wal=
let (identity) open and then open a new wallet (identity) without closing B=
itcoin-Qt -- some of the same routing paths may still be used such that an =
attacker might observe transactions broadast signed by private keys from mu=
ltiple wallets (identities) and observe that they appear to come from the s=
ame wallet client. OBPP should assume the worst unless prevented contrary e=
vidence.<br></div><div>=C2=A0<br></div><blockquote class=3D"gmail_quote" st=
yle=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padd=
ing-left:1ex">
c.=C2=A0 =C2=A0 =C2=A0 When an identity/wallet is deleted, does the deletio=
n process eliminate all evidence from the user&#39;s device that the wallet=
 was previously installed?<br></blockquote><div><br></div><div>Identity is =
primarily tied to a wallet.dat file. Deleting it will remove most of the ev=
idence that the wallet was installed on that device, but there may be some =
extra information in ancillary files that should also be deleted.=C2=A0 Thi=
s is an OS-level function, as there is no operation built into the client t=
o delete a wallet file (identity).<br><br></div><blockquote class=3D"gmail_=
quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,=
204);padding-left:1ex">
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Network Privacy<br>
<br>
10.=C2=A0 =C2=A0 =C2=A0When a user performs a backup operation for their wa=
llet, does this generate any automatic network activity, such as a web quer=
y or email?<br></blockquote><div><br></div><div>No. Backups are local, and =
no email or SMS is linked. No web queries related to backup.<br>=C2=A0<br><=
/div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bo=
rder-left:1px solid rgb(204,204,204);padding-left:1ex">
11.=C2=A0 =C2=A0 =C2=A0Does your application perform any lookup external to=
 the user=E2=80=99s device related to identifying transaction senders or re=
cipients?<br></blockquote><div><br></div><div>No<br>=C2=A0<br></div><blockq=
uote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1p=
x solid rgb(204,204,204);padding-left:1ex">
12.=C2=A0 =C2=A0 =C2=A0Does you application connect to known endpoints whic=
h would be visible to an ISP, such as your domain?<br></blockquote><div><br=
></div><div>Yes, some connections to known p2p full nodes to bootstrap the =
connection to the Bitcoin p2p network. This is configurable, but there are =
defaults. An ISP is likely to be able to identify a customer as running the=
 Bitcoin-Qt client in particular on this basis.<br>=C2=A0<br></div><blockqu=
ote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px=
 solid rgb(204,204,204);padding-left:1ex">
13.=C2=A0 =C2=A0 =C2=A0If your application connects directly to nodes in th=
e Bitcoin P2P network, does it either use an unremarkable user agent string=
 (Bitcoin Core. BitcoinJ, etc), or randomize its user agent on each connect=
ion?<br></blockquote><div><br></div><div>BIP12 specifies format for user ag=
ents: <a href=3D"https://github.com/bitcoin/bips/blob/master/bip-0014.media=
wiki">https://github.com/bitcoin/bips/blob/master/bip-0014.mediawiki</a><br=
><br></div><div>It appears that the Bitcoin-QT leaks specific information a=
bout its client version through User Agent. This file defines the current c=
lient version:<br><a href=3D"https://github.com/bitcoin/bitcoin/blob/55294a=
9fb673ab0a7c99b9c18279fe12a5a07890/src/clientversion.h">https://github.com/=
bitcoin/bitcoin/blob/55294a9fb673ab0a7c99b9c18279fe12a5a07890/src/clientver=
sion.h</a><br><br></div><div>Various other files seem to use this to build =
up the UA string, which is transmitted to other peers.<br>=C2=A0<br></div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex">
<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Physical Access<br>
<br>
14.=C2=A0 =C2=A0 =C2=A0Does the application uninstall process for your appl=
ication eliminate all evidence from the user&#39;s device that the applicat=
ion was previously installed? Does it also eliminate wallet data?<br></bloc=
kquote><div><br></div><div>Probably depends on the platform. Last time I ch=
ecked, I think Bitcoin-Qt leaves behind a .bitcoin directory on most platfo=
rms even after you run an uninstall script.<br>=C2=A0<br></div><blockquote =
class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px sol=
id rgb(204,204,204);padding-left:1ex">
15.=C2=A0 =C2=A0 =C2=A0Does your application use techniques such as stegano=
graphy to store persistent wallet metadata in a form not identifiable as be=
long to a Bitcoin wallet application?<br></blockquote><div><br></div><div>N=
o<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
16.=C2=A0 =C2=A0 =C2=A0Please describe the degree to which users can use pa=
sswords/PINs to protect their data:<br>
a.=C2=A0 =C2=A0 =C2=A0 Can the user set a password/PIN to protect their pri=
vate keys?<br></blockquote><div><br></div><div>You can encrypt the wallet f=
ile with a password. The wallet is &quot;locked&quot; until the password is=
 entered, preventing decryption of the private keys.<br>=C2=A0<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-lef=
t:1px solid rgb(204,204,204);padding-left:1ex">
b.=C2=A0 =C2=A0 =C2=A0 Can the user set a password/PIN to protect their pub=
lic keys and balance information?<br></blockquote><div><br></div><div>No --=
 any wallet.dat file can be opened and the public keys inspected without th=
e password.<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"m=
argin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left=
:1ex">
c.=C2=A0 =C2=A0 =C2=A0 Can the user set a password/PIN to encrypt other wal=
let metadata, such as address books and transaction notes?<br></blockquote>=
<div><br></div><div><div>No -- any wallet.dat file can be opened and the me=
tadata inspected without the password.<br></div>=C2=A0<br></div><blockquote=
 class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px so=
lid rgb(204,204,204);padding-left:1ex">
d.=C2=A0 =C2=A0 =C2=A0 Does the application use a single password/PIN to co=
ver all protected data, or does it allow the use of multiple passwords/PINs=
?<br></blockquote><div><br></div><div>A single password for the wallet file=
.<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Custodianship<br>
<br>
17.=C2=A0 =C2=A0 =C2=A0Do you as a wallet provider ever have access to unen=
crypted copies of the user=E2=80=99s private keys, public keys, or any othe=
r wallet metadata which may be used to associate a user with their transact=
ions or balances?<br></blockquote><div><br></div><div>No custodianship.<br>=
=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
=C2=A0 =C2=A0 =C2=A0=C2=A0 Telemetry Data<br>
<br>
18.=C2=A0 =C2=A0 =C2=A0If your application reports telemetry data, such as =
usage information or automatic crash reporting, does the user have the oppo=
rtunity to review and approve all information transmitted before it is sent=
?<br></blockquote><div><br></div><div>No obvious telemetry data being sent.=
<br>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0=
px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Source Code and Building<br>
<br>
19.=C2=A0 =C2=A0 =C2=A0Can a user of your application compile the applicati=
on themselves in a manner that produces a binary version identical to the v=
ersion you distribute (deterministic build system)?<br></blockquote><div><b=
r></div><div>Yes, I think that&#39;s the point of the gitian stuff.<br>=C2=
=A0<br></div>-Kristov<br></div></div></div>

--089e0149ce38d65ff1051e8c8d1e--