Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1UCF7B-0003Nw-CJ for bitcoin-development@lists.sourceforge.net; Sun, 03 Mar 2013 20:02:33 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.217.176 as permitted sender) client-ip=209.85.217.176; envelope-from=gmaxwell@gmail.com; helo=mail-lb0-f176.google.com; Received: from mail-lb0-f176.google.com ([209.85.217.176]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1UCF79-0000Ic-K7 for bitcoin-development@lists.sourceforge.net; Sun, 03 Mar 2013 20:02:33 +0000 Received: by mail-lb0-f176.google.com with SMTP id s4so3385994lbc.7 for ; Sun, 03 Mar 2013 12:02:25 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.112.37.194 with SMTP id a2mr3554363lbk.40.1362340944995; Sun, 03 Mar 2013 12:02:24 -0800 (PST) Received: by 10.112.96.164 with HTTP; Sun, 3 Mar 2013 12:02:24 -0800 (PST) In-Reply-To: <20130303185446.GU68379@giles.gnomon.org.uk> References: <5132558A.8040304@recessionstories.net> <20130303185446.GU68379@giles.gnomon.org.uk> Date: Sun, 3 Mar 2013 12:02:24 -0800 Message-ID: From: Gregory Maxwell To: Roy Badami Content-Type: text/plain; charset=UTF-8 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (gmaxwell[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1UCF79-0000Ic-K7 Cc: g@gnomon.org.uk, bitcoin list Subject: Re: [Bitcoin-development] Secure download X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Mar 2013 20:02:33 -0000 On Sun, Mar 3, 2013 at 10:54 AM, Roy Badami wrote: > Would be nice to have a secure page at bitcoin.org, though, rathar > than having to go to github - certs from somewhere like Namecheap > should cost you next to nothing. For those of us too lazy (not > paranoid enough) to bother with GPG, a (secure) page on bitoin.org > with the MD5 hashes of the binaries would be awesome... While I think that it's silly that we don't have a HTTPS (only!) page, it should be noted that an HTTPS page is in no way a replacement for GPG, sadly: Anyone who can MITM the server to the whole internet can trivially obtain a fraudulent cert with only moderate cost and time. (The reason for this is that (many? most? all?) CAs verify authority by having you place a file at some HTTP path on the domain in question. Effectively the current CA model only prevents those from intercepting who cannot intercept the traffic generally. Basically only helps with the evil hotspot/tor_exit problem.)