Bitcoin Forum
May 08, 2024, 08:38:31 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Bitcoin Technical Support > bitcoin client authentication
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: bitcoin client authentication  (Read 959 times)
CliffordM (OP)
Member
**
Offline Offline

Activity: 95
Merit: 10


View Profile
February 11, 2013, 01:56:39 PM
 #1
How do we know that the client we are using (eg bitcoin-qt) is authentic and not an impersonator ?

Obviously we can download the source-code , and check the signature as published on bitcoin.org

When I download from source-forge, it is not over HTTPS  -- so I cannot rely on this.


There are no instructions / suggestions for doing this on bitcoin.org.

Maybe some instructions and possibly an HTTPS download site ?


What would be really good, would be a client feature that it has to handshake with the mining network, and some tiny fingerprint appear in the block-chain that can then be viewed from a trusted site.  You then know that your client is a real one.


The problem I am imagining is that someone impersonates the client software, and uses this to gain access to the wallet keys.

As bitcoin becomes more mainstream, the security-knowhow of the average user will drop,  a spoofed client would be terrible news.
"If you don't want people to know you're a scumbag then don't be a scumbag." -- margaritahuyan
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1715157511
Hero Member
*
Offline Offline

Posts: 1715157511

View Profile Personal Message (Offline)

Ignore
1715157511
1715157511
Reply with quote  #2
1715157511
Report to moderator
1715157511
Hero Member
*
Offline Offline

Posts: 1715157511

View Profile Personal Message (Offline)

Ignore
1715157511
1715157511
Reply with quote  #2
1715157511
Report to moderator
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1129


View Profile
February 11, 2013, 06:01:46 PM
 #2
From Bitcoin 0.8 onwards the binaries for Windows and MacOS will be signed by Bitcoin Foundation code-signing certificates. So you can check that using the standard methods your operating system provides. For Linux there are GPG signed builds available. For Android, wallet apps are code-signed by their creators.
CliffordM (OP)
Member
**
Offline Offline

Activity: 95
Merit: 10


View Profile
February 11, 2013, 06:57:56 PM
 #3
my worry is that folk won't bother with this.

we need something more convenient for Joe Public.
Pieter Wuille
Legendary
*
Offline Offline

Activity: 1072
Merit: 1174


View Profile WWW
February 11, 2013, 09:44:03 PM
 #4
Quote from: CliffordM on February 11, 2013, 01:56:39 PM
What would be really good, would be a client feature that it has to handshake with the mining network, and some tiny fingerprint appear in the block-chain that can then be viewed from a trusted site.  You then know that your client is a real one.

You want the client to validate itself, and tell you has verified it is authentic?

Do you think that someone who distributes a malicious version won't just make it skip that check?
I do Bitcoin stuff.
CliffordM (OP)
Member
**
Offline Offline

Activity: 95
Merit: 10


View Profile
February 12, 2013, 08:21:37 AM
 #5
I think you may have mis-read my post.

My thesis is that there is not enough guidance on security-hygiene concerning client impersonation.

My suggestion of the blockchain-fingerprint is a potential solution to the problem.  Whether or not it is feasible in that form does not detract from the validity of the thesis.

What the suggestion implies is that there may be a better solution than expecting users to validate clients directly.

Apologies if this is not how you had interpreted my post.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Bitcoin Technical Support > bitcoin client authentication
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!