The case for removing IP transactions

Sending transactions to IP addresses should be removed or at least disabled by default.

As has been stated by many members of the community, it is in no way secure. I also believe that it may actually allow an attacker to determine the identify of an operator of a bitcoin node. Example, I send 0.01 BTC to various IPs on the network and record the IP and bitcoin address (a bitcoin address is autogenerated). If I run or have access to the information at one of the Bitcoin exchanges (or run a store/service that accepts bitcoins) I can then tie that IP address to the user of that site/service. In the case of an exchange I could tie that IP to a person's PayPal or bank account!

Another possible attack is to connect to a target node and initiate an IP transaction. The target will generate a new address, at which point you disconnect and start again. This might be useful as a denial of service attack.

It's not the sending that should be disabled by default, but the receiving, I think.

If the receiving end refuses to accept IP transactions, unless explicitly enabled, all the problems go away.

Right?

Sorry, I guess I wasn't very clear in the original post. I would like for receiving of transactions by IP to be disabled by default.

I've created a patch that disables receiving of IP transactions by default. They can be enabled with the "-allowiptransactions" option or "allowiptransactions=true" in the bitcoin.conf file.

Here's the patch:
http://github.com/aceat64/bitcoin-patchwork/blob/svn/patches/disable_ip_transactions.patch

I've already incorporated the patch into my custom client: http://github.com/aceat64/bitcoin-patchwork

Probably best to disable receiving by IP unless you specifically intend to use it.  This is a lot of surface area that nobody uses that doesn't need to be open by default.

In storefront cases, you would typically only want customers to send payments through your automated system that only hands out bitcoin addresses associated with particular orders and accounts.  Random unidentified payments volunteered to the server's IP address would be unhelpful.

In general, sending by IP has limited useful cases.  If connecting directly without a proxy, the man-in-the-middle risk may be tolerable, but no privacy.  If you use a privacy proxy, man-in-the-middle risk is unacceptably high.  If we went to all the work of implementing SSL, only large storefronts usually go to the trouble of getting a CA cert, but most of those cases would still be better off to use bitcoin addresses.

I uploaded this change to SVN rev 156.  The switch to enable is "-allowreceivebyip".

Senders with this version will get the error "Recipient is not accepting transactions sent by IP address".  Older version senders will get "Transfer was not accepted".

I used a different name for the switch because "-allowiptransactions" sounds like it includes sending.  If there's a better name for the switch, we can change it again.