Bitcoin Forum
December 08, 2016, 02:22:33 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: There is no way to securely download the BitCoin application  (Read 855 times)
ikilled
Jr. Member
*
Offline Offline

Activity: 43


Bitcoin is a revolutionary invention not just curr


View Profile
June 24, 2011, 11:09:05 PM
 #1

Dear authors of BitCoin,

I was trying to securely download the BitCoin application from BitCoin.org and I found no way of getting the EXE ot ZIP file securely:
- I tried going to: https://www.bitcoin.org - doesn't work
- I tried downloading from SoruceForge trough HTTPS  - doesn't work
- The EXE file (installer or the bitcoin.exe) is not digitally signed
- As far as I checked there is noSHA or MD5 hash/checksum posted securely either (on a verified HTTPS website)

So could somebody get the BitCoin application securely?
How can I check that my BitCoin EXE is not modified by an attacker?
Should I download and review the source code manually and then compile it by myself? :-)

I think this is a quite big flaw in all of this as by downloading the BitCoin application non-securely the user is prone to man-in-the middle attacks. The attacker could substitute the EXE or ZIP with a modified one which includes some malicious code.

I hope you will fix this issue soon.
If I am wrong and there's a way to download securely I apologize :-P
And please tell me how can I do it.

BTW: I love BitCoin project, I think it could be the best thing after the invention of the internet!

Bitcoin is 't just currency - it's an invention, a revolutionary technology, an idea, a network, platform, programmable money - the implications and possibilities are endless!
1481206953
Hero Member
*
Offline Offline

Posts: 1481206953

View Profile Personal Message (Offline)

Ignore
1481206953
Reply with quote  #2

1481206953
Report to moderator
1481206953
Hero Member
*
Offline Offline

Posts: 1481206953

View Profile Personal Message (Offline)

Ignore
1481206953
Reply with quote  #2

1481206953
Report to moderator
1481206953
Hero Member
*
Offline Offline

Posts: 1481206953

View Profile Personal Message (Offline)

Ignore
1481206953
Reply with quote  #2

1481206953
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481206953
Hero Member
*
Offline Offline

Posts: 1481206953

View Profile Personal Message (Offline)

Ignore
1481206953
Reply with quote  #2

1481206953
Report to moderator
1481206953
Hero Member
*
Offline Offline

Posts: 1481206953

View Profile Personal Message (Offline)

Ignore
1481206953
Reply with quote  #2

1481206953
Report to moderator
chungy
Jr. Member
*
Offline Offline

Activity: 38


View Profile
June 24, 2011, 11:13:31 PM
 #2

There is a SHA1SUMS.asc file which would do what you want: http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.23/

Only I'm not sure who signs it, or where to get the key (hopefully on a keyserver such as pgp.mit.edu or similar).
kerogre256
Full Member
***
Offline Offline

Activity: 161


View Profile
June 25, 2011, 12:08:26 AM
 #3

yeh it stupid i post twice arledy about MD5 checke soom.
Bastet
Newbie
*
Offline Offline

Activity: 25


View Profile
June 25, 2011, 02:12:39 AM
 #4

You could always get the source code and compile yourself...  Grin
But then you'd need to verify the source code, not an easy task.
gpubitcoin
Newbie
*
Offline Offline

Activity: 18


View Profile WWW
June 25, 2011, 02:14:10 AM
 #5

I'm in the process of making a bitcoin related website and I've added some of the files (the main bitcoin client and some miners) for download directly from the site. I will be adding md5 hash sums of the files as I received them next to the download links but it would be nice if the main bitcoin site would release checksums so users can be sure of the authenticity of what they are downloading.

http://GPUbitcoin.com
MoonShadow
Legendary
*
Offline Offline

Activity: 1666



View Profile
June 25, 2011, 02:16:36 AM
 #6

Even if there were a secure summation available on the server, this doesn't tell you if the server itself has already be compromised and whoever inserted a malicious client didn't just do the same for the summation and alter the timestamps.  Ultimately you are going to have to trust someone.  It's because of this very issue that older Bitcoin clients persist upon the network.

"The powers of financial capitalism had another far-reaching aim, nothing less than to create a world system of financial control in private hands able to dominate the political system of each country and the economy of the world as a whole. This system was to be controlled in a feudalist fashion by the central banks of the world acting in concert, by secret agreements arrived at in frequent meetings and conferences. The apex of the systems was to be the Bank for International Settlements in Basel, Switzerland, a private bank owned and controlled by the world's central banks which were themselves private corporations. Each central bank...sought to dominate its government by its ability to control Treasury loans, to manipulate foreign exchanges, to influence the level of economic activity in the country, and to influence cooperative politicians by subsequent economic rewards in the business world."

- Carroll Quigley, CFR member, mentor to Bill Clinton, from 'Tragedy And Hope'
sunbird
Newbie
*
Offline Offline

Activity: 23


View Profile
August 18, 2011, 02:44:28 PM
 #7

Even if there were a secure summation available on the server, this doesn't tell you if the server itself has already be compromised and whoever inserted a malicious client didn't just do the same for the summation and alter the timestamps.  Ultimately you are going to have to trust someone.  It's because of this very issue that older Bitcoin clients persist upon the network.

I was going to post on this topic and am glad that someone else is doing so.

The above is not a sufficient answer to this question. By the same rationale, you should never take any security measures because there are always countermeasures. No point in using https to connect to your bank since someone could have taken over the domain since you last logged in.

Moreover, since bitcoin is FOSS, it is quite likely that coders would notice a hash error if it was compromised. As it stands now, there is absolutely nothing stopping someone from distributing a fake btc client.

This is soooo easy to fix. The maintainers of bitcoin can post the SHA sum on the website, enable secure browsing, and sign the md5 sum with the gpg key of one of the developers (which likely has a long list of signatures to verify the authenticity). This would take all of five minutes...
jackjack
Hero Member
*****
Offline Offline

Activity: 882


May Bitcoin be touched by his Noodly Appendage


View Profile
August 18, 2011, 02:49:43 PM
 #8

MD5?
I don't download binaries but I would prefer the devs use SHA* instead

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
sunbird
Newbie
*
Offline Offline

Activity: 23


View Profile
August 18, 2011, 03:06:08 PM
 #9

MD5?
I don't download binaries but I would prefer the devs use SHA* instead

Oops, yeah, should be SHA. I've corrected my post above. Thx.

But, frankly, I'd prefer MD5 to no hash at all...
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
August 18, 2011, 08:05:40 PM
 #10

Even if there were a secure summation available on the server, this doesn't tell you if the server itself has already be compromised and whoever inserted a malicious client didn't just do the same for the summation and alter the timestamps.  Ultimately you are going to have to trust someone.  It's because of this very issue that older Bitcoin clients persist upon the network.

I was going to post on this topic and am glad that someone else is doing so.

The above is not a sufficient answer to this question. By the same rationale, you should never take any security measures because there are always countermeasures. No point in using https to connect to your bank since someone could have taken over the domain since you last logged in.

Moreover, since bitcoin is FOSS, it is quite likely that coders would notice a hash error if it was compromised. As it stands now, there is absolutely nothing stopping someone from distributing a fake btc client.

This is soooo easy to fix. The maintainers of bitcoin can post the SHA sum on the website, enable secure browsing, and sign the md5 sum with the gpg key of one of the developers (which likely has a long list of signatures to verify the authenticity). This would take all of five minutes...
They already do just that.
http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.24/ (see SHA1SUMS.asc)

sunbird
Newbie
*
Offline Offline

Activity: 23


View Profile
August 19, 2011, 02:35:08 PM
 #11


Oh hey, thanks for locating that! However, the fact that this thread exists and that many people haven't found the sigs is a real problem.

The SHA hash should be on this page with the software https://bitcoin.org (which, by the way, won't load because they don't have secure browsing enabled, another problem), with the gpg signatures displayed on the page with the SHA hashes. For people who are only slightly paranoid, secure browsing provides _some_ level of assurance (yes, the site could be hijacked, but again, just because someone can pick the lock on your front door doesn't mean you should leave your door open). For those who are more paranoid, they can verify the signature and the hash.

Yes, I know that many people won't verify the information. But I would have, had I been able to locate it before. And there's no reason to bury it at sourceforge. At least put a link to the ASC file on the front page...

My $.02...
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!