Peter Todd [ARCHIVE] on Nostr: š Original date posted:2014-03-22 š Original message:On Sat, Mar 22, 2014 at ...
š
Original date posted:2014-03-22
š Original message:On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
>
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
>
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.
Note that Bitcoin source and binary downloads are protected by both the
PGP WoT and the certificate authority PKI system. The binaries are
hosted on bitcoin.org, which is https and protected by a the PKI system,
and the source code is hosted on github, again, https protected. A MITM
attack would need to compromise the PKI system as well, at least
provided users aren't fooled into downloading over http.
--
'peter'[:-1]@petertodd.org
0000000000000000657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140322/ac41c6e2/attachment.sig>;
š Original message:On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote:
> In case you didn't see this yet,
>
> http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html
>
> If you're using PGP to verify Bitcoin downloads, it's very important that
> you check you are using the right key. Someone seems to be creating fake
> PGP keys that are used to sign popular pieces of crypto software, probably
> to make a MITM attack (e.g. from an intelligence agency) seem more
> legitimate.
Note that Bitcoin source and binary downloads are protected by both the
PGP WoT and the certificate authority PKI system. The binaries are
hosted on bitcoin.org, which is https and protected by a the PKI system,
and the source code is hosted on github, again, https protected. A MITM
attack would need to compromise the PKI system as well, at least
provided users aren't fooled into downloading over http.
--
'peter'[:-1]@petertodd.org
0000000000000000657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140322/ac41c6e2/attachment.sig>;