Bitcoin Forum
November 08, 2024, 04:38:35 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: The Bitcoin FAQ: withdrawals, block count, SSL  (Read 5890 times)
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 23, 2011, 07:34:49 AM
Last edit: February 23, 2011, 08:05:35 AM by casascius
 #1

Today, I was corresponding with the operator of a fairly well known web site of a US nonprofit org, I wrote suggesting the idea that accepting Bitcoin may be a good avenue for donation income.  This web site in particular deals with a political controversy and is one where people would have a reason to donate anonymously and where accepting Bitcoin would likely be fruitful for them.

One thing he said to me, which I think has a lot of merit, is this:

"I am surprised that there's no answer or question for "how to sell bitcoins" on their FAQ."

I think how to withdraw BTC into fiat currency certainly counts as a legitimate frequently asked question, especially for real world organization that, perhaps unlike many of us, aren't planning on holding on to BTC long term.  Perhaps it should be updated.  This is a very legitimate first question to ask.

Second, I was asked about why the charts at bitcoincharts.com look all over the place.  One sore thumb that should really be cleaned up is there is one chart whose last update says January 22 and whose graph says "No Data".  This should really be removed.  Given that it has a very stale quote (but the staleness isn't in the same obvious font size as the stale data itself), it leads one to question and be confused as to why there should be two so drastically different USD values for Bitcoin.  This, too, is a legitimate "first question" for a newcomer: what is a bitcoin worth to me in $$$?

Third, I notice myself that the front page of Bitcoin.org reports the total block count as 97000.  This too, is pretty stale.  This wouldn't be so bad, other than the software doesn't give any useful indication that it is non-functional until the entire block chain is downloaded, and a new user isn't going to know how many blocks to expect, especially if it is taking half an hour or more to download.  Non-geeks are likely to find this very frustrating and counter-intuitive.

Fourth, can I yell this out loud?  THE SELF SIGNED SSL CERT ON BITCOIN.ORG is embarrassing (my own observation).  Can someone please do a damn thing about it?  I would, if I could.  I am sure many of us would pitch in BTC if it cost money if a free solution like startssl was considered unacceptable.  It is a huge irony that a crypto-based project that asks people to monetarily exercise faith in cryptography can't even get SSL configured right on its home page.  Surely this might make some feel as uncomfortable as going under the knife for surgery from a surgeon who misspells "surgeon" on his own business card - and rightfully so.  Can we really finally just fix this?


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
ribuck
Donator
Hero Member
*
Offline Offline

Activity: 826
Merit: 1060


View Profile
February 23, 2011, 09:02:51 AM
 #2

It is a huge irony that a crypto-based project that asks people to monetarily exercise faith in cryptography can't even get SSL configured right on its home page.

A self-signed certificate is not wrongly configured.

But mainstream browsers do react in a way that tends to cause panic amongst mainstream users. If the browser just said "This certificate is self-signed. Your session is encrypted, but the certificate doesn't vouch for the identity of the website" that would be fine.

Unfortunately, browsers don't work like that, so it probably is worth buying a commercial cert. I'm happy to contribute to the cost.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 23, 2011, 01:58:11 PM
 #3


Unfortunately, browsers don't work like that, so it probably is worth buying a commercial cert. I'm happy to contribute to the cost.

A StartSSL free certificate appears to be good enough for the wiki at https://www.bitcoin.it, so how about for bitcoin.org?

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
dust
Hero Member
*****
Offline Offline

Activity: 840
Merit: 1000



View Profile WWW
February 23, 2011, 07:46:52 PM
 #4

An easy fix would be to redirect bitcoin.org to the wiki.

Cryptocoin Mining Info | OTC | PGP | Twitter | freenode: dust-otc | BTC: 1F6fV4U2xnpAuKtmQD6BWpK3EuRosKzF8U
Binford 6100
Hero Member
*****
Offline Offline

Activity: 504
Merit: 504


PGP OTC WOT: EB7FCE3D


View Profile
February 26, 2011, 03:44:03 AM
 #5

THE SELF SIGNED SSL CERT ON BITCOIN.ORG is embarrassing (my own observation).
...
It is a huge irony that a crypto-based project that asks people to monetarily exercise faith in cryptography can't even get SSL configured right on its home page.

problem ^^

A StartSSL free certificate

solution ^^

You can't build a reputation on what you are going to do.
Vasiliev
Newbie
*
Offline Offline

Activity: 55
Merit: 0


View Profile
February 26, 2011, 06:21:20 AM
 #6

A self-signed certificate is not wrongly configured.

But mainstream browsers do react in a way that tends to cause panic amongst mainstream users. If the browser just said "This certificate is self-signed. Your session is encrypted, but the certificate doesn't vouch for the identity of the website" that would be fine.
The most commonly encountered HTTPS sites encountered by an average user will be login pages/financial websites. A self-signed certificate is what appears if somebody is running a MITM attack. MITM attacks will commonly be encountered on public networks. Treating it as a security issue is correct. If it just gave a small note that the identity is not confirmed, 95+% of users would ignore that, click through, and get their credential stolen.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 26, 2011, 06:38:41 AM
 #7

So, who do we need to annoy in order for this to be considered important?

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
February 26, 2011, 06:53:09 AM
 #8

How is anyone accidentally ending up on the HTTPS version, anyway? It's not the default.

Satoshi is the only one capable of getting a CA-signed cert, and he's unavailable.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
Stephen Gornick
Legendary
*
Offline Offline

Activity: 2506
Merit: 1010


View Profile
February 26, 2011, 10:19:42 AM
 #9

One thing he said to me, which I think has a lot of merit, is this:

"I am surprised that there's no answer or question for "how to sell bitcoins" on their FAQ."

Fantastic suggestion.  The Wiki now features:
  http://en.bitcoin.it/wiki/Selling_bitcoins

Unichange.me

            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █
            █


Anonymous
Guest

February 26, 2011, 02:19:05 PM
 #10

So, who do we need to annoy in order for this to be considered important?

Satoshi.
MacRohard
Full Member
***
Offline Offline

Activity: 212
Merit: 100



View Profile
February 26, 2011, 04:44:13 PM
 #11

How is anyone accidentally ending up on the HTTPS version, anyway? It's not the default.

Satoshi is the only one capable of getting a CA-signed cert, and he's unavailable.

This isn't true. Whoever runs the VM on 174.143.149.98 (bitcoin.org) can setup SMTP in order to receive a verification email to admin@www.bitcoin.org (could also be administrator@www.bitcoin.org, root@www.bitcoin.org, postmaster@www.bitcoin.org, hostmaster@www.bitcoin.org, webmaster@www.bitcoin.org) That will satisfty the verification requirements.

If someone wants to do that I'm happy to purchase the cert and make sure that the verification email is sent to the right place.

theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
February 26, 2011, 05:05:59 PM
 #12

Whoever runs the VM on 174.143.149.98 (bitcoin.org) can setup SMTP in order to receive a verification email to admin@www.bitcoin.org (could also be administrator@www.bitcoin.org, root@www.bitcoin.org, postmaster@www.bitcoin.org, hostmaster@www.bitcoin.org, webmaster@www.bitcoin.org) That will satisfty the verification requirements.

True. I guess Sirius can do it, then, if he can run SMTP on his server.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
MacRohard
Full Member
***
Offline Offline

Activity: 212
Merit: 100



View Profile
February 26, 2011, 05:55:59 PM
 #13

Whoever runs the VM on 174.143.149.98 (bitcoin.org) can setup SMTP in order to receive a verification email to admin@www.bitcoin.org (could also be administrator@www.bitcoin.org, root@www.bitcoin.org, postmaster@www.bitcoin.org, hostmaster@www.bitcoin.org, webmaster@www.bitcoin.org) That will satisfty the verification requirements.

True. I guess Sirius can do it, then, if he can run SMTP on his server.

A simple option might be to port forward port 25 to another mailserver.

ssh -L0.0.0.0:25:smtp.somewhere.com:25 user@localhost

saves setting up smtp on the vm just to receive one email.

casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 27, 2011, 03:50:09 AM
 #14

How is anyone accidentally ending up on the HTTPS version, anyway? It's not the default.

Satoshi is the only one capable of getting a CA-signed cert, and he's unavailable.

A lot of people use HTTPS for everything they can.  The EFF promotes it as a best practice, even up to the point of offering a Firefox extension that forces the browser to persistently use HTTPS everywhere it is possible. http://www.eff.org/https-everywhere

One thing pushing this trend is the recent publicity of rogue utilities such as Firesheep, which sniff networks for session cookies to websites and allow the sessions to be hijacked.  Open wi-fi networks are especially vulnerable.  Using HTTPS foils the attack, but must be done for the entire session for it to help.

An SSL cert from StartSSL can be had simply by proving an ability to receive e-mail at an administrative address at the domain, obtaining the cert is a 100% automated process.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
February 27, 2011, 03:52:07 AM
 #15

I hereby pledge 25 BTC toward the site's SSL certificate, if a paid certificate is deemed necessary.

once the certificate is installed, if someone can, um, hint to me who should receive it, I will gladly oblige.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!