0

I understand that between the people who run Bitcoin nodes, and therefore the Bitcoin protocol, the system is trust-less and secure.

However, there seems to be a weak link - the official list of bitcoin nodes.

Whoever maintains the official list however, can theoretically conspire to ensure that 51% of the nodes are under its control and can perform nefarious operations such as double spending and/or changing transactions.

How is this issue handled?

CodyBugstein
  • 103
  • 3
  • Can you clarify what you mean by "official list of Bitcoin nodes"? Are you talking about the hardcoded list of [DNS seeds](https://bitcoin.org/en/glossary/dns-seed)? Changing this list would at best ensure that people *who used that list* would only see nodes under the attacker's control, at least temporarily. It wouldn't help you control 51% of all the real mining capacity on the network. – Nate Eldredge Jan 22 '18 at 01:04
  • In other words, they can mount a [Sibyl attack](https://en.bitcoin.it/wiki/Weaknesses#Sybil_attack) but not a [51% attack](https://en.bitcoin.it/wiki/Majority_attack). – Nate Eldredge Jan 22 '18 at 01:09
  • Yes the DNS seed. If you control the DNS seed, you control the nodes that all new transactions are sent to, and you control the "official record" of the blockchain (since you can tell your nodes what version of the blockchain to return). I'm not talking about mining necessarily – CodyBugstein Jan 22 '18 at 01:26
  • 1
    on DNS seeds: you get a proposal of DNS that comes with the software, and during working time, the DNS connections change (based on accesibility, speed, and probably more). So the DNS seeds are only for starting your node. DNS itself is a service by "the internet", and whoever there controls the tables, can manipulate data routing. There is discussion around DNSSEC, but it doesn't come into real usage, so obviously majority of people trust DNS in the internet. For sure there is no security issue in bitcoin core, due to using DNS servers. The security issue would be below bitcoin core app... – pebwindkraft Jan 22 '18 at 10:43

1 Answers1

2

First of all, there isn't really an "official" list of DNS seeds. You're probably thinking of the list used by Bitcoin Core. But other clients are free to choose a different list, or to discover peers in an entirely different way. Users of Bitcoin Core are also free to reconfigure their software to use a different list. So this list is merely the default for one particular client.

This list is chosen by the Bitcoin Core developers, just like everything else in the Bitcoin Core source code. You can read here about the criteria they (claim to) use when selecting nodes for this list.

It's true that if the Bitcoin Core developers decided to be evil, they could modify this list to only have DNS seeds that will only return addresses for malicious nodes controlled by them. That would allow them to mount a Sibyl attack on any user of Bitcoin Core.

But if you think about it, if the Bitcoin Core developers decided to be evil, they could do things that were much worse, much more easily. They could just put in some code that would immediately send all coins in the wallet straight to them, as soon as the software is run. Why bother messing around with DNS seeds and all that?

And if you think some more, this same sort of risk exists with every piece of software you ever use: you are trusting that the software doesn't contain something evil.

So what's our protection against this? Bitcoin Core is open source. You, and everyone else, can see all the changes that have been made up till now, and you can judge for yourself whether any of those changes have been evil. You, and everyone else, can test the DNS seeds provided in the list, and see whether they appear to be returning well-behaved nodes. If they didn't, there's a good chance that you'd find warnings about it elsewhere on the Internet, just like you probably would if the Bitcoin Core developers had made any other evil change.

If all the currently listed DNS seed operators suddenly decide to conspire to be evil, the situation is similar: people will probably notice rather fast, and you'll hear about it. But the Bitcoin Core developers choose seeds that, as far as they can tell, are operated by independent people who seem to be individually honest and have no particular reason to conspire.

If, on the other hand, an individual DNS seed operator decided to turn evil, without the cooperation of the Bitcoin Core developers, the risks are much lower. As long as at least honest seed remains, you'll likely connect to some honest nodes in addition to the dishonest ones. And if you successfully connect to at least one honest node, a Sibyl attack doesn't work: the honest node will send you the proper blockchain, and you'll know from its higher difficulty that it is the right one and the others are fake.

In general, you want to be careful throwing around terms like "trustless and secure". These terms are never absolutes. You always have to trust somebody for something, and there are always ways for security to be violated. The best you can do is to try to understand exactly who you are trusting, what you are trusting them to do, and what evidence you can use to decide whether they are worthy of that trust.

Nate Eldredge
  • 22,970
  • 3
  • 39
  • 80