No, Bitcoin is a consensus system. If A, B, C, D, E, F, G are telling you that the chain is invalid because miners have started inflating it— but no one else is taking action because no one else is running a validating node, no one else is bothering to consult with A, B, C, D, E, F, G or believes them— well then, tough luck for you. You can stay on your true Bitcoin all alone with A..G, while almost everyone else ventures off on inflatacoin. There is currently no alarm bell in the system, and currently no way to give an alarm bell compact proof so that it could be acted on automatically. (Though it's possible to change things so that they can be done, and I think doing so should be a necessary precondition for anything with substantial risk of hurting decentralization)

Besides, why should you believe A..G for the security of _all_ your coins? You missed the point I was making that one shot securing single transactions isn't the same as securing everything. Maybe on one transaction you're secured by A..G on another you're secured by E..H, and yet another avoids the cost of arbitrators by being performed in a trust-less way, and meanwhile you have a stash of coins sitting safely without risk of losing their value. The diversity spreads your risks and minimizes chances of total loss.

They don't have to trust me, they can check for themselves or pay multiple other people they marginally trust to check for them. Hm? Selling data and exchanging digital assets aren't uncommon cases. Doing them in more secure ways certainly is, but here you were telling me it was impossible to be trustfree. It will take time for people to adapt to what Bitcoin makes possible (and from the constant stream of theft and betrayal in Bitcoin space making them realize they need to look into alternatives).

Replacing the blockchain has an entirely different risk/reward payoff than inflating the currency. You generally don't see central banks breaking into people's vaults and taking money these days…  And as I mentioned, extensive explicit collusion isn't required. Remove the maximum subsidy check ... advertise that you've done so in the coinbase. Produce bigger blocks when a supermajority indicates they have. SPV clients will happily follow along.

My understanding is that they're not easy to get if you're not a typical institution. It might not be possible for the forum to get one.

Classical currencies are based on trust, and their trust argument is _far_ stronger than what the bitcoin community can offer: regulated instutions, the enforcement of laws backed up by firepower, millions of people who can absorb and correct problems, experts with mile long lists of credentials. Etc. And yet many hold the view that the trusted guardians of the popular currencies are violating this trust and will continue to do so. When you look at the Bitcoin ecosystem— it's hard to find arguments for well placed trust even a fraction as convincing as the trust thats failing in the wider world.

Complete trustlessness probably can't be achieved— with a wide enough definition, e.g. I haven't personally proven all of mathematics to myself or inspected my cpu with a home built electron microscope, but it can be approximated apparently arbitrarily close.

But first, there is a big distinction between trusting in the a world wide currency and trusting in a single trade of some small value.  However trust dependent Bitcoin itself is no set of transactions denominated in BTC can be less trust dependent than the underlying Bitcoin.  If you make ten small trades what is the probability that _all_ ten screw you?  It is something like the probability of an individual failure raised to the tenth power (e.g. probably negligible) plus the probability that Bitcoin screws you— The currency is a single point of failure, encompassing all the money in its economy, so it must be strong if anything is to be strong.

Secondly, this is in fact not the case: In situations where people are buying and selling digital data or services which occur within the context of machine verifiable processes it's sometimes possible to trade with absolutely no risk at all. E.g. CoinSwap can let you trade Bitcoins and foocoins in a cheat proof way (so long as Bitcoin and Foocoin are secure), or e.g. this protocol can allow selling knoweldge in a bidirectionally cheat proof way, in both cases without any third parties at all.

Even when a cheat-proof protocol isn't possible, as is the case for physical goods, you're not stuck with "a" trusted third party. In Bitcoin you can construct blockchain escrows with release rules like "(A and B) or ((A or B) and any-3-of(C, D, E, F, G))".   How likely is a single arbitrator to screw you?  Fine, add more until the potential for dishonesty is negligible, if what you're doing justifies it.  But this only works if the system itself isn't imposing its own trusted parties on you.

These are all why Bitcoin has script to begin with— simply making transactions isn't enough to achieve trustlessness. Powerful transactions are required to achieve Bitcoin's goals.

Then there is the issue of betrayal by 1000 cuts, by expedience, and with all honest intentions. In classically human mediated systems there is a constant pressure to bend the rules a little bit: "Read this guys email, he's no good", "block this transaction, just this one, the funds are stolen. I swear!", "just print a bit more money, we need to fund a war, it's important.". We find it hard to say no to small compromises, even when the logical outcome, shown by history to be inevitable, is no mystery to us.  Improved trustlessness is improved robustness to small betrayals adding up to big ones.

WRT SPV, it's only secure so long as there is an {adequate} supply of fully verifying nodes to keep miners honest. If there isn't then miners as a group (consider: even without an explicit conspiracy, they have some highly correlated interests…) can freely deceive SPV nodes. If there is, then for many use-cases SPV security is quite close to a full node (e.g. accepting confirmed payments with values small relative to the generated coins confirming them).  SPV is what makes compact mobile devices viable, and it's also necessary for efficiently binding Bitcoin into other system. But its security absolutely depends on validation being very well distributed.

Visa is an erroneous comparison. Bitcoin is a currency with a payment network. Visa is a payment network. I expect that someday people will use Visa to pay people with Bitcoins (though thats not a way of using Bitcoins that I'd prefer).

I don't appreciate the partisan "where you stand" language, which appears to be asking me to draw a bright line.  This is a complicated matter engineering and it involves nuanced trade-offs and understanding. Not bright line politics.

I support the vision of Bitcoin as I originally learned about it, which is a trust-less decentralized system intended to make it easy for people to transact without interference or mediation by trusted parties. Bitcoin is a system where we minimize the interaction of failure prone men in making decisions— with the best of intentions— which are pushed on others without their consent— it's a system made somewhat immune to even majority whim by the widely distributed hard enforcement of system invariants which are purposefully difficult to change, especially if the changes are controversial.

To the extent that trustlessness and scaling aren't in conflict, I say— and I think everyone with honest intentions would agree: great! lets have all the things!  I believe that as technology improves the level of conflict free scaling improvements will increase.

I am, however, also concerned that even at today's scale we have operating cost and education problems which are endangering the system's security assumptions. I believe these are perfectly solvable problems.

Generally, to the extent that trustlessness and scaling come into direct conflict I believe that Bitcoin should tend to prefer trustlessness. There are a couple of reasons I believe this:

Scaling with trustlessness should improve in time just from the march of technological progress. Trustlessness seems harder to regain (e.g. p2pool didn't replace all the centralized pools, though I believe if it had come first we'd probably have no centeralized pools today or at least they'd be substantially different) than scaling is to add.

Scaling can always be achieved through alternative payment mechanisms, but I know of no similar way to improve trustlessness through overlay systems. Alternative payment networks for Bitcoin must exist in order to support things like instantaneous (semi-)irreversibility, improved privacy, offline payments, etc. Bitcoin will never be as scalable as a less decenteralized payment system. E.g. If we had to choose between Bitcoin having a dozen miner supernodes that do all the validation which we effectively must trust, or having to run low value bitcoin transactions through distributed 5-party chaum banks, which exist by the hundreds around the world... I'd prefer the latter. This is doubly true because if Bitcoin is too bloated it will harm diversity in these alternative payment systems.

Finally, trustlessness should be preferred because it is the unique value that Bitcoin (and its clones) provide. Visa does the scaling game better than we do, for fundamental reasons. Many prior ecash systems with ample funding and brilliant technology failed, largely because their trusted center provided a chokepoint.

But all thats assuming that there is a conflict and I think our job in Bitcoin is to advance the technology and minimize the conflict, foremost.  And then we don't have to answer the hard questions like who picks who wins and who loses, it's better to have everyone win. Past that, it's a balancing act— one where either extreme diminishes Bitcoin's value to the world.

If Bitcoin blocks become gigabytes in size such that only powerful entities bother running validation nodes, then I think Bitcoin will collapse since it loses its main feature that is appealing (truselessness).

There is careful balancing which is required and hysteria ("biggest threat", "MUCH higher") is not helpful.

At either extreme— where it's too costly to transact, or where it's too costly to validate Bitcoin loses value.  If Bitcoin becomes defacto centralized due to being too costly to validate then it will be _impossible_ to build anything more decentralized on top of Bitcoin, and this is arguably a greater risk both because it can gradually end up in that state and because the risk of it being too costly to transact can at least be answered by alternative payment networks (which are mandatory in any case to achieve things like strong privacy, instant payments, efficient very low value transactions, and offline transaction).

Bandwidth isn't the only consideration— checksig can have a pretty substantial impact too.

But conserving bandwidth— and keeping the cost of operating a node down— is part of the reason to not have 1MB blocks constantly. Taking a 4x bandwidth hike for everyone is a pretty substantial cost. I suppose it's better than the blocks actually being that size, but still…

Citation needed. 250 is the default in the reference software. A simpler hypothesis than miners performing some complex orphaning cost benefit analysis is that they don't care to change the defaults.

It should be, indeed, but we don't support compiling without asserts. This is a known wart. There are a couple of other similar places that ought to be fixed. I might as well go fix it.

The excuse giving for years of why consolidations of ten percent, twenty percent, or even more, in the hands of pool operators didn't effectively disprove the Bitcoin security model was that pool operators were more obligated than a typical miner to behave with the public interest at heart because the hashrate controlling miners could vote with their feet.

I've never been too fond of the argument: evidence (e.g. miners voting with their feet very slowly even when a pool is clearly robbing them) suggests otherwise... But that argument doesn't even exist for GHash.io/CEX.io: the miners are captive and cannot leave. Worse, there is a moral hazard because an unknown portion of the hardware is paid for by other people (at top dollar rates too) and so if some stunt they perform debases its value... so what? Heck, perhaps it drops the market value down to nothing an cex can buy their obligations back for a song. This means that CEX.io can probably profit from an attack even if that attack ultimately fails.

No. That is completely wrong and confused. You are not 100% sure to find a match. Unless the hash function is broken, every attempt is unrelated— there could be 5 matches in a row, or a whole nonce range which doesn't match. When it fails, it just increments the extranonce or timestamp and carries on. At the current difficulty the probability of any value being a match is around one in seven hundred million. Puncturing the nonce space does not reduce your probability of success in the slightest.

No. Mythical nonsense threats— things like the claims that supporting x509 signed payment requests will allow CA's to monitor transactions— which are structurally impossible do not exist.

Just because something has some facility for checking some signing key was signed by another key and pretty printing a name doesn't magically give the root signer the ability to print money, monitor transactions, track users, or whatever other insipid nonsense people have convinced themselves of in their paranoia orgy.  All it means is that they could impersonate that party in the pretty printing, but absent the existence of the facility _anyone_ could impersonate.

The CA infrastructure stinks and is proven compromised and alternatives should be invented but PKI is a decades old problem and has never been satisfactorily solved anywhere.

The fantastical, confused, and— in some cases— personally violent arguments made about the x509 signing in the payment protocol are beyond the pale, even in this sometimes cesspool of a forum. Having a real commitment to security means also being  aggressive in refusing nonsense insecurity claims. Sorting out the signal from the non-man-made noise is already very hard. There is no excuse for additional noise.  Trolling secure systems with paranoia and FUD would be a fantastic counter-security move for a well funded attacker, and we must be robust against it.

If you've got an actual threat that people would be exposed to, please spell it out. Otherwise, cut the black-helicopter FUD. It's seriously demotivating and inevitably harmful to people's security.

It would be good to have some evidence about the system being abused in order to get improvements to the way things are done. More selfishly, it would be easier to argue for adding BCT to the browser cert pins with that kind of information. Perhaps not worth the time, but I thought I'd ask.

I looked at the darn cert, but didn't save it.  Geotrust vs Globalsign ... I'm sure I wouldn't remember the difference. I was looking for something like "cloudflare".

It remains true that anyone who could respond to a http request as the server (e.g. someone at the hosting provider or an upstream ISP) to a CA could get a cert issued in the site's name, since several CAs do nothing more than request a page with a specific name. So even without the cloudflare turbo compromise ... the CA universe stinks.

Theymos, any chance you could contact Globalsign — cloudflare's CA partner— and point out we believe their relationship with cloudflare may have been used to fraudulently issue a certificate for bitcointalk.org, ask them if they did— and if they did, to please list that certificate in their CRLs?

Looks like there is no way to escape a "cloudflare mediated attack": short of

(1) Get a shiny new SSL cert with a CA that has a strong security policy. (e.g. won't give certs to cloudflare), the current one may be adequate
(2) Get browser vendors to pin that CA for this domain.
(3) HSTS the site.


(2) would be a somewhat amusing discussion. As Bitcointalk is a much lower traffic than most of the other sites that have been CA pinned in chrome. OTOH, we can point out that a redirect to cloudflare attack was actually performed on us, ... while most of the other pinned sites are not known to have been attacked.

unfortunately the forum can't know. E.g. you could have attempted to log in, it could have been intercepted by the attacker, and then the account could have just appeared down for you.

Because there isn't any functional alternative at the moment. But the only thing its used for is so you can have a "payment requests signed by XYZ.com", thats it. In not case is it weaker than not having it, excluding arguments perhaps about false senses of security. The payment protocol stuff is fully extensible so if someone shows up with a more useful PKI it can easily be added.

Seriously, I'm one of the last guys to think the situation with x509 isn't a complete farce but I don't see any problem with the payment protocol supporting x509 signing of invoices. You'd not adding to the quality of discourse with that "wonder why" bullshit. Especially because there are a lot of ignorant people out there who have absolutely no idea how it works and think that supporting CA authentication of a signing key will somehow make all their transactions visible to the CA or other such threats that don't exist.

That would be good— any citation? (I did look briefly)

I noticed that bitcointalk is now being served via cloudflare. I'd missed this happening. What a bummer this is.

Whats the point of having the forum behind SSL when the keys are handed over to a third party?

It also always prompts and asks in the GUI if it needs to provide a fee to satisify the network rules, and in current software the fee required to satisfy the rules for dust transactions is 0.0001BTC/kb, so 0.0005 sounds surprising unless the transaction was build from a lot of dust or done with an old version of the software.

Absolutely true about the network basically failing in the first year:

But take care about "so many"— we really don't know how many coins he has. He was not the only party mining the first year, by far— the analysis are abundantly clear about that (as are the personal testimonies of many). A lot of people make the mistake of assuming all the unspent first year coins were his, and this is erroneous. I think it's likely he has/has-had many, sure, but take any specific estimate with a grain of salt.