[Documentation Request] - Please go into more detail on TOR usage

[billyjeen22]

The front page at www.sparrowwallet.com lists "Built in Tor" as a feature, but then TOR is only sparingly mentioned in the rest of the documentation, and only when configuring a private electrum server with a .onion address. But then searching through github issues, I see that other connections like connections to mempool and coingecko are sent out over TOR. It would be nice to get a clear statement about when the "Built in TOR" is used, and what "Built in TOR" means.

I'm switching from Wasabi Wallet, which has its own "built in tor" client, making all of its connections over the TOR network by default, without any additional configuration.

The questions I'd like to see answered are:

• Is there an actual built in TOR proxy server/client? Or does "Built in Tor" just mean "Support for a user specified TOR proxy"?
• Do I need to specify a .onion electrum server for TOR to be used?
• When using a public server from the built in drop down list, if I do not specify a proxy server, will "Built in TOR" automatically be used for all of my connections? Including to my chosen public electrum server, mempool, coingecko, DNS, or any other server accessed by the sparrow wallet?
• If I specify a non-TOR generic SOCKS proxy (like for my VPN provider), will the "built in TOR" establish a tunnel over that connection? Or is TOR disabled at that point? Or does the software make the assumption that any proxy server entered IS a tor proxy, and therefore capable of resolving .onion addresses without launching the built in TOR proxy? Thanks.

PS. I understand this isn't a support forum, and while I'd love to get an answer here and now, most importantly I think it would be helpful to other users going forward if TOR usage was more clear in documentation.

[craigraw]

This is covered in the documentation as an FAQ: https://sparrowwallet.com/docs/faq.html#how-does-the-proxy-support-work.

Sparrow does not make the use of Tor mandatory, since the Tor network can be unreliable, and IMO it is unwise to unconditionally tie access to your funds to an unreliable network, however beneficial it is to your privacy.

To answer your questions:

Is there an actual built in TOR proxy server/client?

Yes.

Do I need to specify a .onion electrum server for TOR to be used?

Yes, if you don't configure an external Tor proxy.

When using a public server from the built in drop down list, if I do not specify a proxy server, will "Built in TOR" automatically be used for all of my connections?

No. If you want this behaviour, configure an external Tor proxy.

If I specify a non-TOR generic SOCKS proxy (like for my VPN provider), will the "built in TOR" establish a tunnel over that connection? Or is TOR disabled at that point?

The internal Tor is disabled. Most VPN configuration these days is not done via a proxy.

The TLDR of all this is that users who have more stringent security and privacy requirements should run an external Tor proxy and configure it in Sparrow. Ideally, a Tor proxy should be a long lived process for better connectivity, while a Bitcoin wallet should only be run as necessary for better security.

[billyjeen22]

Thanks for the answers - I do still believe the documentation needs to be more clear. I think as existing users (or, ya know.. the developer of the software...) you're taking for granted that people understand how it works. I asked a friend to look at that same FAQ entry you linked, which I had read half a dozen times, and we both thought it was clear as mud. Helping people understand how their client connects to the internet is something useful for a privacy focused tool.

Anyway, the answer is here, in public, which is helpful, and I appreciate the answer so quickly. But here is my proposal for adding to the FAQ: Does sparrow initiate all connections over TOR by default? No. Sparrow wallet will use its built in TOR client if you are connecting to an electrum server with a .onion link. (in that case it will also connect to mempool and coingecko over TOR as well?) Otherwise, if you want all non-onion connections to go out over TOR, you will need to specify a TOR proxy in the proxy configuration settings.

[craigraw]

I've added another FAQ here, which should clarify this: https://sparrowwallet.com/docs/faq.html#does-sparrow-require-tor

[voidastro4]

I believe the proxy implementation may be deeply flawed. When only the tor socks5 proxy is available sparrow fails:

Test Connection:

Could not connect:

Failed to resolve address: ****************

So it appears DNS doesn't just leak but is never torified.

socks5 has address resolution as part of the protocol...

Furthermore, it's not explained weather or not sparrow uses tor features properly.

Is tor circuit isolation via different socks5 auth used? ie. every wallet uses different auth. there is no checkmark to specify whether or not the given proxy is tor so probably not. failure to do this connects multiple wallets to single user via the server they connect to.

[craigraw]

@voidastro4 Electrum server connections are (required to be) long-lived TCP connections. For the purpose of limiting resource usage on public servers, Sparrow does not open a new connection for every wallet. As noted in the documentation, I recommend running your own server for better privacy. Sparrow offers several options to achieve this.