walletbeat

Possibly-controversial change: Should servers running in enclaves be treated as privacy-preserving?

Possibly-controversial change: Should servers running in enclaves be treated as privacy-preserving?

https://github.com/walletbeat/walletbeat/commit/294dde48a808c93b1c619171a226ffd40ac908f8

Contributor @ /walletbeat.

Censorship resistance requires privacy.

Context is wallets using Ethereum RPC endpoints such as 1RPC.io, which runs Ethereum nodes inside secure enclaves.

The current implementation is to let such servers be considered privacy-preserving for the purpose of determining:
- Whether they allow a third-party to correlate a user's wallet address with their IP address (other forms of PII still no bueno)
- Whether they allow a third-party to correlate a user's multiple wallet addresses with each other

While non-ideal, as there have been many documented exploits to exfiltrate data out of enclaves, it still feels like it could be a meaningful privacy upgrade for wallet users over the industry standard of basically no metadata privacy at all.

And once solutions to decouple HTTP request payloads from their origin (i.e. mixnets, Oblivious HTTP, etc) are more widespread and usable from browser extension wallets, the criterion can be raised to no longer allow secure enclaves as a stopgap privacy mitigation.

Thoughts?

Assuming:
- The server-side code is source-available
- The server-side code is built reproducibly
- The client actually checks that the server is in an enclave
- The client actually checks that the server runs the code it claims
- The server code doesn't log anything
... Is such a server privacy-preserving?

If requests are verifiable, I'd consider it "stable era private". But to me crypto is about providing chaotic era resilience tech and in that context I'm not ok with the (privacy) trust assumptions of a contemporary commercial TEE.

So, to increase the resolution on this, would you rather, all else being equal:

(a) Use an Ethereum wallet with an RPC endpoint set to go straight to infura/etc, or
(b) Use an Ethereum wallet with an RPC endpoint running in an enclave, with all the properties described in https://warpcast.com/polymutex.eth/0x1157fd6f + TLS terminated in enclave, or
(c) See both (a) and (b) as strictly equivalent from a user privacy standpoint?

(And why?)

I understand this is a false choice and that there are better solutions out there beyond those 3. I'm only suggesting this thought experiment to clarify the rationale and to more carefully describe the properties that (b) does or does not provide, and the assumptions being made about them.

For example, @scbuergel calls it "stable era privacy" as opposed to "chaotic era resilience tech" in https://warpcast.com/scbuergel/0x10736373 which seems like a good spectrum to distinguish the difference in quality of privacy provided by such options vs the better alternatives.

BDFL of Quilibrium, Eng @ Farcaster, ex-Coinbase, always opinionated, never hydrated

/quilibrium

No.

Enclaves should not be considered a black box that makes something private, they get broken all the time