"This connection is untrusted" - bitaddress.org

[Alonzo Ewing]

I'm trying to create a paper wallet. I made a Ubuntu boot USB. I booted via said USB. i connected to my home wireless network by entering pass code.

I started Firefox and searched for "bitaddress". First result was bitaddress.org. When I clicked, I received a warning, "This connection is untrusted".  I clicked "add exception". It asked something like "are you sure?"  I freaked out and closed the browser.

Is this normal?

Keep in kind that I'm computer illiterate and have never used Ubuntu before.

[Leehoya]

I'm trying to create a paper wallet. I made a Ubuntu boot USB. I booted via said USB. i connected to my home wireless network by entering pass code.

I started Firefox and searched for "bitaddress". First result was bitaddress.org. When I clicked, I received a warning, "This connection is untrusted".  I clicked "add exception". It asked something like "are you sure?"  I freaked out and closed the browser.

Is this normal?

Keep in kind that I'm computer illiterate and have never used Ubuntu before.

Click yeah. The cert might probably be using self signed one. What does the certificate says?

[CIYAM]

Just be sure that you save the web page for "offline" usage (which is the only way you should use this kind of website) and disconnect the internet before using the "offline" version (making sure that it won't somehow get automatically connected when doing so).

[deepceleron]

The site is signed by Comodo CA, which is a less trusted certificate authority (out of over 1000 CA's that your browser gives blind trust to). It is possible that the distro has decided to remove the trust, as others have advocated removing it's trust since they were able to get that CA to issue certificates for domains they don't own, including Mozilla's own site.

http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/
https://blog.startcom.org/?p=145

The bitaddress page should be downloaded from the repository and run offline in just about every scenario one can envision:
https://github.com/pointbiz/bitaddress.org

[CIYAM]

The bitaddress page should be downloaded from the repository and run offline in just about every scenario one can envision:
https://github.com/pointbiz/bitaddress.org

Yes - do this (same goes for brainwallet.org).

To download just click on the "Download ZIP" button on the right side of the page.

[Alonzo Ewing]

Thanks guys!  I'm being super paranoid, but how should I download that file?

1) download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, then run the bitaddress file from separate USB?

Or

2) Boot via Ubuntu, connect to internet, download from github, disconnect from Internet, then run bitaddress file?

[grue]

download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB

[Alonzo Ewing]

So I did a bit of googling/youtubing and know how I can check the md5 hash and sha1 hash of a file. Only problem is, I don't see any hash in the readme file or anywhere else. Where is the hash found? 

And what file should I be hashing?  The bitaddress.org.html file?  The zip file?

download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB

[Alonzo Ewing]

Another question: in bitaddress, under paper wallet, I should be able to bash my keyboard to generate a sufficiently random key pair, right?  I.e., I don't have to roll a die a hundred times or whatever.

[deepceleron]

download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB

So I did a bit of googling/youtubing and know how I can check the md5 hash and sha1 hash of a file. Only problem is, I don't see any hash in the readme file or anywhere else. Where is the hash found? 

And what file should I be hashing?  The bitaddress.org.html file?  The zip file?

Obviously incomplete advice, you also need to verify the signature of the file containing hashes.

The URL is redirected when loading off bitaddress.org to include a release and SHA1:
https://www.bitaddress.org/bitaddress.org-v2.6.2-SHA1-4d98755d7e78caa4361228a2b11b0faa0f65e6de.html

"release notes" is signed by "ninja" using PGP, and contains a SHA-1 hash of each "release":
https://www.bitaddress.org/pgpsignedmsg.txt

However, the private key for ninja is also only found on the web page, I don't see an MIT link, etc:
https://www.bitaddress.org/ninja_bitaddress.org.txt

This means that all content on the website could be diligently replaced by a hacker with no means of detection.

When you download from github to your drive and then load the file in your browser:

https://raw.github.com/pointbiz/bitaddress.org/master/bitaddress.org.html

and then verify the signature and hash provided on bitaddress.org, at least then both sites have to agree on the same SHA1 hash. You can also see when the bitaddress.org.html was last modified, and review the commits to see what changed, such as the last one five days ago:
https://github.com/pointbiz/bitaddress.org/commit/ef1d9614f1c9f11598a603e965f0cbaa7d2f3314

Another question: in bitaddress, under paper wallet, I should be able to bash my keyboard to generate a sufficiently random key pair, right?  I.e., I don't have to roll a die a hundred times or whatever.

You didn't see the instructions "move your mouse around to generate some extra randomness" when you loaded the page?