Mike Hearn [ARCHIVE] on Nostr: 📅 Original date posted:2013-12-31 📝 Original message:Given that hardly anyone ...
📅 Original date posted:2013-12-31
📝 Original message:Given that hardly anyone checks the signatures, it's fair to say downloads
aren't protected by anything at the moment. SSL for downloads can only
raise the bar, never lower it, and if the NSA want to kick off the process
of revoking some of the big CA's then I'm game (assuming anyone detects it
of course) :)
Anyway, nobody is dragging feet, the problem is right now we get what is
effectively a huge free subsidy from github and SourceForge for site
hosting. The cost is no SSL. So getting SSL would require that "we" pay for
it ourselves, but the primary method we have for funding public
goods/infrastructure (the Foundation) which is the subject of various
conspiracy theories. Jeremy has made a generous offer further up the
thread, the issue being I guess none of us know how much traffic we
actually get :( I remember suggesting that we whack Google Analytics or
some other statistics package on when the new website design was done and
that was rejected for similar reasons ("organisations are bad").
So we are in a position where we get a subsidy of large but unknown size
from various existing US corporations, but moving to different ones is
controversial, hence no progress :)
On Tue, Dec 31, 2013 at 1:48 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Tue, Dec 31, 2013 at 5:39 AM, Drak <drak at zikula.org> wrote:
> > The NSA has the ability, right now to change every download of
> bitcoin-qt,
> > on the fly and the only cure is encryption.
>
> Please cut it out with the snake oil pedaling. This is really over the
> top. You're invoking the NSA as the threat here? Okay. The NSA can
> trivially compromise an HTTPS download site: even ignoring the CA
> insecurity, and government run CAs certificate authorities issue CA
> certs to random governments and corporations for dataloss prevention
> purposes. Not to mention unparalleled access to exploits.
>
> The downloads are protected by something far stronger than SSL
> already, which might even have a chance against the NSA. Actual
> signatures of the downloads with offline keys.
>
> I'm all pro-SSL and all that, but you are— piece by piece— really
> convincing me that it produces an entirely false sense of security
> which is entirely unjustified.
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20131231/459ec369/attachment.html>
📝 Original message:Given that hardly anyone checks the signatures, it's fair to say downloads
aren't protected by anything at the moment. SSL for downloads can only
raise the bar, never lower it, and if the NSA want to kick off the process
of revoking some of the big CA's then I'm game (assuming anyone detects it
of course) :)
Anyway, nobody is dragging feet, the problem is right now we get what is
effectively a huge free subsidy from github and SourceForge for site
hosting. The cost is no SSL. So getting SSL would require that "we" pay for
it ourselves, but the primary method we have for funding public
goods/infrastructure (the Foundation) which is the subject of various
conspiracy theories. Jeremy has made a generous offer further up the
thread, the issue being I guess none of us know how much traffic we
actually get :( I remember suggesting that we whack Google Analytics or
some other statistics package on when the new website design was done and
that was rejected for similar reasons ("organisations are bad").
So we are in a position where we get a subsidy of large but unknown size
from various existing US corporations, but moving to different ones is
controversial, hence no progress :)
On Tue, Dec 31, 2013 at 1:48 PM, Gregory Maxwell <gmaxwell at gmail.com> wrote:
> On Tue, Dec 31, 2013 at 5:39 AM, Drak <drak at zikula.org> wrote:
> > The NSA has the ability, right now to change every download of
> bitcoin-qt,
> > on the fly and the only cure is encryption.
>
> Please cut it out with the snake oil pedaling. This is really over the
> top. You're invoking the NSA as the threat here? Okay. The NSA can
> trivially compromise an HTTPS download site: even ignoring the CA
> insecurity, and government run CAs certificate authorities issue CA
> certs to random governments and corporations for dataloss prevention
> purposes. Not to mention unparalleled access to exploits.
>
> The downloads are protected by something far stronger than SSL
> already, which might even have a chance against the NSA. Actual
> signatures of the downloads with offline keys.
>
> I'm all pro-SSL and all that, but you are— piece by piece— really
> convincing me that it produces an entirely false sense of security
> which is entirely unjustified.
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
> Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20131231/459ec369/attachment.html>