1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <mh.in.england@gmail.com>) id 1VxzrO-0001tq-F4
for bitcoin-development@lists.sourceforge.net;
Tue, 31 Dec 2013 13:59:54 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of gmail.com
designates 209.85.219.46 as permitted sender)
client-ip=209.85.219.46; envelope-from=mh.in.england@gmail.com;
helo=mail-oa0-f46.google.com;
Received: from mail-oa0-f46.google.com ([209.85.219.46])
by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1VxzrM-0005mr-MX
for bitcoin-development@lists.sourceforge.net;
Tue, 31 Dec 2013 13:59:54 +0000
Received: by mail-oa0-f46.google.com with SMTP id o6so12984459oag.5
for <bitcoin-development@lists.sourceforge.net>;
Tue, 31 Dec 2013 05:59:47 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.60.97.36 with SMTP id dx4mr36823847oeb.40.1388498387265;
Tue, 31 Dec 2013 05:59:47 -0800 (PST)
Sender: mh.in.england@gmail.com
Received: by 10.76.95.200 with HTTP; Tue, 31 Dec 2013 05:59:47 -0800 (PST)
In-Reply-To: <CAAS2fgTmWRMxYweu3sNn_X7grgjUqTQujM-DbZRxG_YMZnD=7g@mail.gmail.com>
References: <52A3C8A5.7010606@gmail.com>
<1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net>
<52A435EA.7090405@gmail.com> <201312081237.24473.luke@dashjr.org>
<CANAnSg2OrmQAcZ+cZdtQeADicH3U29QOgYPfP1AQhOMP6+P1wg@mail.gmail.com>
<CAAS2fgR0khyJxmz9c2Oc87hOFgiNuiPJuaeugGajdo_EcKEW9w@mail.gmail.com>
<20131212205106.GA4572@netbook.cypherspace.org>
<CANAnSg3nPhrk2k=yDKf39AuBQnSuTWJbgANdMhGe=soiOy0NTw@mail.gmail.com>
<CAAS2fgTmWRMxYweu3sNn_X7grgjUqTQujM-DbZRxG_YMZnD=7g@mail.gmail.com>
Date: Tue, 31 Dec 2013 13:59:47 +0000
X-Google-Sender-Auth: S0eatSyVNGcHqneSo2kPrv2VV1c
Message-ID: <CANEZrP2X_63qkuNuk0MvsLR9ewd7HR0mPVaD7bZSgWMTJ5-9FQ@mail.gmail.com>
From: Mike Hearn <mike@plan99.net>
To: Gregory Maxwell <gmaxwell@gmail.com>
Content-Type: multipart/alternative; boundary=089e013a2b0824eee904eed4f984
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information. [URIs: doubleclick.net]
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(mh.in.england[at]gmail.com)
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1VxzrM-0005mr-MX
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org,
your thoughts?
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Tue, 31 Dec 2013 13:59:54 -0000
--089e013a2b0824eee904eed4f984
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Given that hardly anyone checks the signatures, it's fair to say downloads
aren't protected by anything at the moment. SSL for downloads can only
raise the bar, never lower it, and if the NSA want to kick off the process
of revoking some of the big CA's then I'm game (assuming anyone detects it
of course) :)
Anyway, nobody is dragging feet, the problem is right now we get what is
effectively a huge free subsidy from github and SourceForge for site
hosting. The cost is no SSL. So getting SSL would require that "we" pay for
it ourselves, but the primary method we have for funding public
goods/infrastructure (the Foundation) which is the subject of various
conspiracy theories. Jeremy has made a generous offer further up the
thread, the issue being I guess none of us know how much traffic we
actually get :( I remember suggesting that we whack Google Analytics or
some other statistics package on when the new website design was done and
that was rejected for similar reasons ("organisations are bad").
So we are in a position where we get a subsidy of large but unknown size
from various existing US corporations, but moving to different ones is
controversial, hence no progress :)
On Tue, Dec 31, 2013 at 1:48 PM, Gregory Maxwell <gmaxwell@gmail.com> wrote=
:
> On Tue, Dec 31, 2013 at 5:39 AM, Drak <drak@zikula.org> wrote:
> > The NSA has the ability, right now to change every download of
> bitcoin-qt,
> > on the fly and the only cure is encryption.
>
> Please cut it out with the snake oil pedaling. This is really over the
> top. You're invoking the NSA as the threat here? Okay. The NSA can
> trivially compromise an HTTPS download site: even ignoring the CA
> insecurity, and government run CAs certificate authorities issue CA
> certs to random governments and corporations for dataloss prevention
> purposes. Not to mention unparalleled access to exploits.
>
> The downloads are protected by something far stronger than SSL
> already, which might even have a chance against the NSA. Actual
> signatures of the downloads with offline keys.
>
> I'm all pro-SSL and all that, but you are=E2=80=94 piece by piece=E2=80=
=94 really
> convincing me that it produces an entirely false sense of security
> which is entirely unjustified.
>
>
> -------------------------------------------------------------------------=
-----
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into you=
r
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=3D84349831&iu=3D/4140/ostg.=
clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--089e013a2b0824eee904eed4f984
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Given that hardly anyone checks the signatures, it's f=
air to say downloads aren't protected by anything at the moment. SSL fo=
r downloads can only raise the bar, never lower it, and if the NSA want to =
kick off the process of revoking some of the big CA's then I'm game=
(assuming anyone detects it of course) :)<div>
<br></div><div>Anyway, nobody is dragging feet, the problem is right now we=
get what is effectively a huge free subsidy from github and SourceForge fo=
r site hosting. The cost is no SSL. So getting SSL would require that "=
;we" pay for it ourselves, but the primary method we have for funding =
public goods/infrastructure (the Foundation) which is the subject of variou=
s conspiracy theories. Jeremy has made a generous offer further up the thre=
ad, the issue being I guess none of us know how much traffic we actually ge=
t :( I remember suggesting that we whack Google Analytics or some other sta=
tistics package on when the new website design was done and that was reject=
ed for similar reasons ("organisations are bad").</div>
<div><br></div><div>So we are in a position where we get a subsidy of large=
but unknown size from various existing US corporations, but moving to diff=
erent ones is controversial, hence no progress :)</div><div><br></div></div=
>
<div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Tue, Dec 3=
1, 2013 at 1:48 PM, Gregory Maxwell <span dir=3D"ltr"><<a href=3D"mailto=
:gmaxwell@gmail.com" target=3D"_blank">gmaxwell@gmail.com</a>></span> wr=
ote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On Tue, Dec 31, 2013 at 5:=
39 AM, Drak <<a href=3D"mailto:drak@zikula.org">drak@zikula.org</a>> =
wrote:<br>
> The NSA has the ability, right now to change every download of bitcoin=
-qt,<br>
> on the fly and the only cure is encryption.<br>
<br>
</div>Please cut it out with the snake oil pedaling. This is really over th=
e<br>
top. You're invoking the NSA as the threat here? Okay. The NSA can<br>
trivially compromise an HTTPS download site: even ignoring the CA<br>
insecurity, and government run CAs certificate authorities issue CA<br>
certs to random governments and corporations for dataloss prevention<br>
purposes. Not to mention unparalleled access to exploits.<br>
<br>
The downloads are protected by something far stronger than SSL<br>
already, which might even have a chance against the NSA. Actual<br>
signatures of the downloads with offline keys.<br>
<br>
I'm all pro-SSL and all that, but you are=E2=80=94 piece by piece=E2=80=
=94 really<br>
convincing me that it produces an entirely false sense of security<br>
which is entirely unjustified.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
---------------------------------------------------------------------------=
---<br>
Rapidly troubleshoot problems before they affect your business. Most IT<br>
organizations don't have a clear picture of how application performance=
<br>
affects their revenue. With AppDynamics, you get 100% visibility into your<=
br>
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynami=
cs Pro!<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D84349831&iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D84349831&iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br></div>
--089e013a2b0824eee904eed4f984--
|
