Gregory Maxwell [ARCHIVE] on Nostr: 📅 Original date posted:2013-03-03 📝 Original message:On Sun, Mar 3, 2013 at ...
📅 Original date posted:2013-03-03
📝 Original message:On Sun, Mar 3, 2013 at 10:54 AM, Roy Badami <roy at gnomon.org.uk> wrote:
> Would be nice to have a secure page at bitcoin.org, though, rathar
> than having to go to github - certs from somewhere like Namecheap
> should cost you next to nothing. For those of us too lazy (not
> paranoid enough) to bother with GPG, a (secure) page on bitoin.org
> with the MD5 hashes of the binaries would be awesome...
While I think that it's silly that we don't have a HTTPS (only!) page,
it should be noted that an HTTPS page is in no way a replacement for
GPG, sadly: Anyone who can MITM the server to the whole internet can
trivially obtain a fraudulent cert with only moderate cost and time.
(The reason for this is that (many? most? all?) CAs verify authority
by having you place a file at some HTTP path on the domain in
question. Effectively the current CA model only prevents those from
intercepting who cannot intercept the traffic generally. Basically
only helps with the evil hotspot/tor_exit problem.)
Published at
2023-06-07 11:34:05Event JSON
{
"id": "9012f06d5e20b6773d50d905b9d2de47b8d78879654bc706a3b794b155f2fca8",
"pubkey": "4aa6cf9aa5c8e98f401dac603c6a10207509b6a07317676e9d6615f3d7103d73",
"created_at": 1686137645,
"kind": 1,
"tags": [
[
"e",
"d501a2fc7872792c5f5a24df0b230219bcadf7aceaf9b1184cff6e05063b4a89",
"",
"root"
],
[
"e",
"42c671b35283f2519965a0f1edd2b740446489dcf3c6dd7cb8d9f60ac7da1a2b",
"",
"reply"
],
[
"p",
"58f160e0dbc661605704b190e36f5199f881c861e53763c7057e6bc0c13e6950"
]
],
"content": "📅 Original date posted:2013-03-03\n📝 Original message:On Sun, Mar 3, 2013 at 10:54 AM, Roy Badami \u003croy at gnomon.org.uk\u003e wrote:\n\u003e Would be nice to have a secure page at bitcoin.org, though, rathar\n\u003e than having to go to github - certs from somewhere like Namecheap\n\u003e should cost you next to nothing. For those of us too lazy (not\n\u003e paranoid enough) to bother with GPG, a (secure) page on bitoin.org\n\u003e with the MD5 hashes of the binaries would be awesome...\n\nWhile I think that it's silly that we don't have a HTTPS (only!) page,\nit should be noted that an HTTPS page is in no way a replacement for\nGPG, sadly: Anyone who can MITM the server to the whole internet can\ntrivially obtain a fraudulent cert with only moderate cost and time.\n\n(The reason for this is that (many? most? all?) CAs verify authority\nby having you place a file at some HTTP path on the domain in\nquestion. Effectively the current CA model only prevents those from\nintercepting who cannot intercept the traffic generally. Basically\nonly helps with the evil hotspot/tor_exit problem.)",
"sig": "bd080547993ed859a75d64bd2b83b1b433fe3b9716405f7356a756f144f012f59d83060618d36154790c64378c58bf45d8eabf44e3504d920dc65c70846aa011"
}