Bitcoin Forum

Today, I was corresponding with the operator of a fairly well known web site of a US nonprofit org, I wrote suggesting the idea that accepting Bitcoin may be a good avenue for donation income.  This web site in particular deals with a political controversy and is one where people would have a reason to donate anonymously and where accepting Bitcoin would likely be fruitful for them.

One thing he said to me, which I think has a lot of merit, is this:

"I am surprised that there's no answer or question for "how to sell bitcoins" on their FAQ."

I think how to withdraw BTC into fiat currency certainly counts as a legitimate frequently asked question, especially for real world organization that, perhaps unlike many of us, aren't planning on holding on to BTC long term.  Perhaps it should be updated.  This is a very legitimate first question to ask.

Second, I was asked about why the charts at bitcoincharts.com look all over the place.  One sore thumb that should really be cleaned up is there is one chart whose last update says January 22 and whose graph says "No Data".  This should really be removed.  Given that it has a very stale quote (but the staleness isn't in the same obvious font size as the stale data itself), it leads one to question and be confused as to why there should be two so drastically different USD values for Bitcoin.  This, too, is a legitimate "first question" for a newcomer: what is a bitcoin worth to me in $$$?

Third, I notice myself that the front page of Bitcoin.org reports the total block count as 97000.  This too, is pretty stale.  This wouldn't be so bad, other than the software doesn't give any useful indication that it is non-functional until the entire block chain is downloaded, and a new user isn't going to know how many blocks to expect, especially if it is taking half an hour or more to download.  Non-geeks are likely to find this very frustrating and counter-intuitive.

Fourth, can I yell this out loud?  THE SELF SIGNED SSL CERT ON BITCOIN.ORG is embarrassing (my own observation).  Can someone please do a damn thing about it?  I would, if I could.  I am sure many of us would pitch in BTC if it cost money if a free solution like startssl was considered unacceptable.  It is a huge irony that a crypto-based project that asks people to monetarily exercise faith in cryptography can't even get SSL configured right on its home page.  Surely this might make some feel as uncomfortable as going under the knife for surgery from a surgeon who misspells "surgeon" on his own business card - and rightfully so.  Can we really finally just fix this?

A self-signed certificate is not wrongly configured.

But mainstream browsers do react in a way that tends to cause panic amongst mainstream users. If the browser just said "This certificate is self-signed. Your session is encrypted, but the certificate doesn't vouch for the identity of the website" that would be fine.

Unfortunately, browsers don't work like that, so it probably is worth buying a commercial cert. I'm happy to contribute to the cost.

A StartSSL free certificate appears to be good enough for the wiki at https://www.bitcoin.it, so how about for bitcoin.org?

An easy fix would be to redirect bitcoin.org to the wiki.

problem ^^


solution ^^

The most commonly encountered HTTPS sites encountered by an average user will be login pages/financial websites. A self-signed certificate is what appears if somebody is running a MITM attack. MITM attacks will commonly be encountered on public networks. Treating it as a security issue is correct. If it just gave a small note that the identity is not confirmed, 95+% of users would ignore that, click through, and get their credential stolen.

So, who do we need to annoy in order for this to be considered important?

How is anyone accidentally ending up on the HTTPS version, anyway? It's not the default.

Satoshi is the only one capable of getting a CA-signed cert, and he's unavailable.

Fantastic suggestion.  The Wiki now features:
  http://en.bitcoin.it/wiki/Selling_bitcoins

Satoshi.

This isn't true. Whoever runs the VM on 174.143.149.98 (bitcoin.org) can setup SMTP in order to receive a verification email to admin@www.bitcoin.org (could also be administrator@www.bitcoin.org, root@www.bitcoin.org, postmaster@www.bitcoin.org, hostmaster@www.bitcoin.org, webmaster@www.bitcoin.org) That will satisfty the verification requirements.

If someone wants to do that I'm happy to purchase the cert and make sure that the verification email is sent to the right place.

True. I guess Sirius can do it, then, if he can run SMTP on his server.

A simple option might be to port forward port 25 to another mailserver.

ssh -L0.0.0.0:25:smtp.somewhere.com:25 user@localhost

saves setting up smtp on the vm just to receive one email.

A lot of people use HTTPS for everything they can.  The EFF promotes it as a best practice, even up to the point of offering a Firefox extension that forces the browser to persistently use HTTPS everywhere it is possible. http://www.eff.org/https-everywhere

One thing pushing this trend is the recent publicity of rogue utilities such as Firesheep, which sniff networks for session cookies to websites and allow the sessions to be hijacked.  Open wi-fi networks are especially vulnerable.  Using HTTPS foils the attack, but must be done for the entire session for it to help.

An SSL cert from StartSSL can be had simply by proving an ability to receive e-mail at an administrative address at the domain, obtaining the cert is a 100% automated process.

I hereby pledge 25 BTC toward the site's SSL certificate, if a paid certificate is deemed necessary.

once the certificate is installed, if someone can, um, hint to me who should receive it, I will gladly oblige.