Bitcoin Forum
December 02, 2016, 06:19:01 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Feature request: HTTPS Bitcoin page containing signatures of downloadable files  (Read 1820 times)
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 25, 2011, 02:14:20 PM
 #1

I have another proposition:

There should be a site, like https://www.bitcoin.org/signatures where there are SHA1/MD5/SHA256 signatures of every file that is avaiable for download on bitcoin.org.
This way, there will be a 100% cracker-resistant way to know that one is downloading unmodified/unhacked files.

For now, the only way to know we have a "clean" bitcoin is to download the source, pull changes from github and review them yourself, which is probably not very good for starters/noobs.
After all, latest events concerning Facebook & Tunisia government, show that it's not very hard to imagine governments or ISPs modifying bitcoin binaries to place trojan horses in them.

What do you think ? This shouldn't be verry hard to do - i mean how hard it is to setup a single static HTML page on HTTPS ?

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480702741
Hero Member
*
Offline Offline

Posts: 1480702741

View Profile Personal Message (Offline)

Ignore
1480702741
Reply with quote  #2

1480702741
Report to moderator
1480702741
Hero Member
*
Offline Offline

Posts: 1480702741

View Profile Personal Message (Offline)

Ignore
1480702741
Reply with quote  #2

1480702741
Report to moderator
bitcoinex
Sr. Member
****
Offline Offline

Activity: 350


probiwon.com


View Profile WWW
January 25, 2011, 03:20:04 PM
 #2

I think digital signed src by authors of the code is better. And already in a git it works fine. Gavin could put a tags with his sign as Linus already doing this:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.37.y.git;a=tag;h=refs/tags/v2.6.37

The average user does not need the source code - for him program builded by a maintainer into packages. Software packages also have signatures, format depends from your OS.

I have a deja vu - we've already discussed it

New bitcoin lottery: probiwon.com
- Может, ты ещё и в Невидимую Руку Рынка веруешь? - Зачем же веровать в то, что можно наблюдать непосредственно?
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
January 25, 2011, 07:34:27 PM
 #3

Relying on HTTPS allows every certificate authority and their sub-authorities to break the authentication, even though bitcoin.org is self-signed. HTTPS should not be used for important authentication problems.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 25, 2011, 08:30:20 PM
 #4

Relying on HTTPS allows every certificate authority and their sub-authorities to break the authentication, even though bitcoin.org is self-signed. HTTPS should not be used for important authentication problems.

There are plugins for firefox which alert you every time a certificate changes, just like in SSH.
https://addons.mozilla.org/pl/firefox/addon/certificate-patrol/

And even if you're not using plugins, my proposition is much better than nothing, isn't it ?


theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
January 25, 2011, 08:32:08 PM
 #5

There are plugins for firefox which alert you every time a certificate changes, just like in SSH.

I use it. And I removed most of my CAs. Smiley

Quote
And even if you're not using plugins, my proposition is much better than nothing, isn't it ?

Yes, but the releases should just be PGP signed by Satoshi. Then there's no chance of third-party contamination.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 25, 2011, 08:42:57 PM
 #6

Yes, but the releases should just be PGP signed by Satoshi. Then there's no chance of third-party contamination.

That's the problem right there. They should be.
So if they aren't yet, wouldn't it be like a 5 minute job for site admin to add one static HTTPS page with signatures included ?

I mean I'm proposing a quick working fix, and later when Satoshi signs all binaries himself, this will no longer be needed.

ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 25, 2011, 09:03:34 PM
 #7

I just had another revelation:

Signing binaries by satoshi usign PGP is no solution at all.
Why ?
Because when Satoshi's public PGP key will be avaiable over HTTP, not HTTPS, governments/ISPs still will be able to change it on the fly using their proxies/filters.

This is a chicken-egg problem.

theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
January 25, 2011, 09:15:19 PM
 #8

I just had another revelation:

Signing binaries by satoshi usign PGP is no solution at all.
Why ?
Because when Satoshi's public PGP key will be avaiable over HTTP, not HTTPS, governments/ISPs still will be able to change it on the fly using their proxies/filters.

This is a chicken-egg problem.

This is solved by the PGP web of trust. I'm sure many of us would sign Satoshi's key (which has already been public for a long time), but I think this is generally considered rude to do without permission.

The SHA-1 hashes are already listed on the front page, which can be accessed with HTTPS.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
ShadowOfHarbringer
Legendary
*
Offline Offline

Activity: 1470


Bringing Legendary Har® to you since 1952


View Profile
January 26, 2011, 08:51:30 AM
 #9

The SHA-1 hashes are already listed on the front page, which can be accessed with HTTPS.

So i was talking like it wasn't done, and it worked all the time... Stupid me.
Closing thread.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!