Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1VpbAd-0008GE-Cn for bitcoin-development@lists.sourceforge.net; Sun, 08 Dec 2013 10:01:03 +0000 Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of zikula.org designates 74.125.82.182 as permitted sender) client-ip=74.125.82.182; envelope-from=drak@zikula.org; helo=mail-we0-f182.google.com; Received: from mail-we0-f182.google.com ([74.125.82.182]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1VpbAb-0008Gu-SW for bitcoin-development@lists.sourceforge.net; Sun, 08 Dec 2013 10:01:03 +0000 Received: by mail-we0-f182.google.com with SMTP id q59so2327241wes.27 for ; Sun, 08 Dec 2013 02:00:55 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Oj0jx3ReTJMnxE6px4HdPNJALXGiznZWr5tKs9jah9A=; b=TXzZAKfCTFfog2X/Zm+bnPnKLPSedcwu819VqBSuXA0vbMplnQC0kZXXHPk5fOqeTK 4JqZC+qbDn+logozwVSPJd8wmSJ6FRtRpAVFAuTAggMaQ8VYPjHMsIabbIkGilX6/PUr BIoQqB8KvSr6xCBIaynDPR4Lty1mEMPCXy3TRTEoi6KNjSPWr20czPOo0RZRbSgw6Dem SIPe3FHr0U+TKVPFWiGCjzoma1ns1pT4i1Ml/fKxE4coquJQBundh/iOTOj3w80VgqHt XtE17Is3q3XYjgE6OdarFD2PJBJWqzREP+ML8v+2p7WB8V4R0aEOEX/aVFCxI8znJZBh gCxg== X-Gm-Message-State: ALoCoQksKNyaI+/zvYyk6JP+Ea5rvBOBA0H3B/nrJPot1Ainqrs5stXHnhcQxfbLL8Dm3DG/YkIK X-Received: by 10.180.9.74 with SMTP id x10mr9516756wia.56.1386496855533; Sun, 08 Dec 2013 02:00:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.194.93.105 with HTTP; Sun, 8 Dec 2013 02:00:35 -0800 (PST) In-Reply-To: <1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net> References: <52A3C8A5.7010606@gmail.com> <1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net> From: Drak Date: Sun, 8 Dec 2013 10:00:35 +0000 Message-ID: To: Odinn Cyberguerrilla Content-Type: multipart/alternative; boundary=001a11c245fa8e815104ed02f46e X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: cyberguerrilla.org] -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1VpbAb-0008Gu-SW Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Dec 2013 10:01:03 -0000 --001a11c245fa8e815104ed02f46e Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable There is really no excuse for not using an SSL certificate. Without one it would be trivial for an attacker to change the contents of the page via MITM. Recent studies have shown MASSIVE abuse of the BGP routing protocol being used to redirect websites through a third party. This is not a theoretical attack, it's happening every single day on a global scale and could be used to divert users to a rogue versions of software. It's just a matter of time... it will happen sooner or later given the incentives it could bring... Recent references: http://www.theregister.co.uk/2013/11/22/net_traffic_redirection_attacks/ http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/ The only way to mitigate these MITMs is to use SSL. Also it's about time we hosted the Bitcoin Qt software at Github. They have a releases feature where you can upload a packaged release (see https://github.com/blog/1547-release-your-software). There are also no adverts (another privacy leak at the least) and many feel are more trustworthy than Sourceforge: it also makes sense to have the downloads where the source is developed. Regards, Drak On 8 December 2013 03:38, Odinn Cyberguerrilla < odinn.cyberguerrilla@riseup.net> wrote: > Hello, re. the dedicated server for bitcoin.org idea, I have a few > thoughts > > 1) I have commented in a blogpost of August 2013 at > https://odinn.cyberguerrilla.org/ with some thoughts relative to possible > issues with CA related to bitcoin.org - where I mentioned something > relative to the DigiCert certificate, > "DigiCert =E2=80=9Cmay revoke a Certificate, without notice, for the reas= ons > stated in the CPS, including if DigiCert reasonably believes that=E2=80= =9D (=E2=80=A6) > =E2=80=9CApplicant is added to a government list of prohibited persons or= entities > or is operating from a prohibited destination under the laws of the Unite= d > States=E2=80=9D (=E2=80=A6) =E2=80=9Cthe Private Key associated with a Ce= rtificate was disclosed > or Compromised=E2=80=9D" > In the same post I mentioned > "Bitcoin.org has no certificate, no encryption =E2=80=94 a situation whic= h has its > own obvious problems. Bitcoin.org currently sends users to download the > bitcoin-qt client from sourceforge. Sourceforge is encrypted and has a > certificate based on GeoTrust: > https://www.geotrust.com/resources/repository/legal/" > > (Currently (Dec. 7, 2013) bitcoin.org shows as 'not verified' and 'not > encrypted' examining it in a cursory fashion w/ Chrome) > > Not sure how this would work, but it would be nice to see the content at > bitcoin.org encrypted, of course, but also further decentralized? how man= y > mirrors are there of bitcoin.org - not sure, but a few things that come t= o > mind when thinking of this are Tahoe-LAFS and also .bit stuff (namecoin). > There are many ways to decentralize something but that is just something > that comes to mind. > > This has been discussed at https://bitcointalk.org/index.php?topic=3D1631= 2.0 > ('Is Bitcoin.org a weakness of bitcoin?) in the past and see also this > https://bitcointalk.org/index.php?topic=3D119652.0 which discusses mirror= ing > of certain content > > Some things to think about. > > > I would like to know what are your thoughts on moving bitcoin.org on a > > dedicated server with a SSL certificate? > > > > I am considering the idea more seriously, but I'd like some feedback > > before taking steps. > > > > Sa=C3=AFvann > > > > > -------------------------------------------------------------------------= ----- > > Sponsored by Intel(R) XDK > > Develop, test and display web and hybrid apps with a single code base. > > Download it for free now! > > > http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&iu=3D/4140/ostg= .clktrk > > _______________________________________________ > > Bitcoin-development mailing list > > Bitcoin-development@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > > > > -------------------------------------------------------------------------= ----- > Sponsored by Intel(R) XDK > Develop, test and display web and hybrid apps with a single code base. > Download it for free now! > > http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&iu=3D/4140/ostg= .clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --001a11c245fa8e815104ed02f46e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
There is really no excuse for not using an SSL certificate= . Without one it would be trivial for an attacker to change the contents of= the page via MITM.
Recent studies have shown MASSIVE abuse of the BGP = routing protocol being used to redirect websites through a third party.
This is not a theoretical attack, it's happening every single day = on a global scale and could be used to divert users to a rogue versions of = software.
It's just a matter of time... it will happen sooner= or later given the incentives it could bring...

Recent references:

The only way to mitigate these MITMs= is to use SSL.

Also it's about time we hosted the Bitcoin Qt softw= are at Github. They have a releases feature where you can upload a packaged= release (see=C2=A0https://github.com/blog/1547-release-your-software). There are a= lso no adverts (another privacy leak at the least) and many feel are more t= rustworthy than Sourceforge: it also makes sense to have the downloads wher= e the source is developed.

Regards,

Drak



On = 8 December 2013 03:38, Odinn Cyberguerrilla <odinn.cybergu= errilla@riseup.net> wrote:
Hello, re. the dedicated server for bitcoin.org idea, I have a fe= w thoughts

1) I have commented in a blogpost of August 2013 at
https://odi= nn.cyberguerrilla.org/ with some thoughts relative to possible
issues with CA related to = bitcoin.org - where I mentioned something
relative to the DigiCert certificate,
"DigiCert =E2=80=9Cmay revoke a Certificate, without notice, for the r= easons
stated in the CPS, including if DigiCert reasonably believes that=E2=80=9D = (=E2=80=A6)
=E2=80=9CApplicant is added to a government list of prohibited persons or e= ntities
or is operating from a prohibited destination under the laws of the United<= br> States=E2=80=9D (=E2=80=A6) =E2=80=9Cthe Private Key associated with a Cert= ificate was disclosed
or Compromised=E2=80=9D"
In the same post I mentioned
"Bitcoin.org has no certificate, no encryption =E2=80=94 a situation w= hich has its
own obvious problems. Bitcoin.org currently sends users to download the
bitcoin-qt client from sourceforge. Sourceforge is encrypted and has a
certificate based on GeoTrust:
https://www.geotrust.com/resources/repository/legal/"

(Currently (Dec. 7, 2013) = bitcoin.org shows as 'not verified' and 'not
encrypted' examining it in a cursory fashion w/ Chrome)

Not sure how this would work, but it would be nice to see the content at bitcoin.org encrypted,= of course, but also further decentralized? how many
mirrors are there of bitco= in.org - not sure, but a few things that come to
mind when thinking of this are Tahoe-LAFS and also .bit stuff (namecoin). There are many ways to decentralize something but that is just something that comes to mind.

This has been discussed at https://bitcointalk.org/index.php?topic=3D1= 6312.0
('Is Bitcoin.org a weakness of bitcoin?) in the past and see also this<= br> https://bitcointalk.org/index.php?topic=3D119652.0 which discusse= s mirroring
of certain content

Some things to think about.

> I would like to know what are your thoughts on moving bitcoin.org on a
> dedicated server with a SSL certificate?
>
> I am considering the idea more seriously, but I'd like some feedba= ck
> before taking steps.
>
> Sa=C3=AFvann
>
> ----------------------------------------------------------------------= --------
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.=
> Download it for free now!
> http://pubads.g.doubleclick.ne= t/gampad/clk?id=3D111408631&iu=3D/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-d= evelopment@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitco= in-development
>



---------------------------------------------------------------------------= ---
Sponsored by Intel(R) XDK
Develop, test and display web and hybrid apps with a single code base.
Download it for free now!
http://pubads.g.doubleclick.net/gam= pad/clk?id=3D111408631&iu=3D/4140/ostg.clktrk
_______________________________________________
Bitcoin-development mailing list
Bitcoin-develo= pment@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment

--001a11c245fa8e815104ed02f46e--