1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <drak@zikula.org>) id 1VpbAd-0008GE-Cn
for bitcoin-development@lists.sourceforge.net;
Sun, 08 Dec 2013 10:01:03 +0000
Received-SPF: pass (sog-mx-4.v43.ch3.sourceforge.com: domain of zikula.org
designates 74.125.82.182 as permitted sender)
client-ip=74.125.82.182; envelope-from=drak@zikula.org;
helo=mail-we0-f182.google.com;
Received: from mail-we0-f182.google.com ([74.125.82.182])
by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1VpbAb-0008Gu-SW
for bitcoin-development@lists.sourceforge.net;
Sun, 08 Dec 2013 10:01:03 +0000
Received: by mail-we0-f182.google.com with SMTP id q59so2327241wes.27
for <bitcoin-development@lists.sourceforge.net>;
Sun, 08 Dec 2013 02:00:55 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:mime-version:in-reply-to:references:from:date
:message-id:subject:to:cc:content-type;
bh=Oj0jx3ReTJMnxE6px4HdPNJALXGiznZWr5tKs9jah9A=;
b=TXzZAKfCTFfog2X/Zm+bnPnKLPSedcwu819VqBSuXA0vbMplnQC0kZXXHPk5fOqeTK
4JqZC+qbDn+logozwVSPJd8wmSJ6FRtRpAVFAuTAggMaQ8VYPjHMsIabbIkGilX6/PUr
BIoQqB8KvSr6xCBIaynDPR4Lty1mEMPCXy3TRTEoi6KNjSPWr20czPOo0RZRbSgw6Dem
SIPe3FHr0U+TKVPFWiGCjzoma1ns1pT4i1Ml/fKxE4coquJQBundh/iOTOj3w80VgqHt
XtE17Is3q3XYjgE6OdarFD2PJBJWqzREP+ML8v+2p7WB8V4R0aEOEX/aVFCxI8znJZBh
gCxg==
X-Gm-Message-State: ALoCoQksKNyaI+/zvYyk6JP+Ea5rvBOBA0H3B/nrJPot1Ainqrs5stXHnhcQxfbLL8Dm3DG/YkIK
X-Received: by 10.180.9.74 with SMTP id x10mr9516756wia.56.1386496855533; Sun,
08 Dec 2013 02:00:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.194.93.105 with HTTP; Sun, 8 Dec 2013 02:00:35 -0800 (PST)
In-Reply-To: <1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net>
References: <52A3C8A5.7010606@gmail.com>
<1795f3067ba3fcdd0caf978cc59ff024.squirrel@fruiteater.riseup.net>
From: Drak <drak@zikula.org>
Date: Sun, 8 Dec 2013 10:00:35 +0000
Message-ID: <CANAnSg1DiPLqAGW=2Q0zoLjupn8wvYuhhH8HgvBM0d=5uKJNXA@mail.gmail.com>
To: Odinn Cyberguerrilla <odinn.cyberguerrilla@riseup.net>
Content-Type: multipart/alternative; boundary=001a11c245fa8e815104ed02f46e
X-Spam-Score: -0.5 (/)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information. [URIs: cyberguerrilla.org]
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1VpbAb-0008Gu-SW
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Subject: Re: [Bitcoin-development] Dedicated server for bitcoin.org,
your thoughts?
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2013 10:01:03 -0000
--001a11c245fa8e815104ed02f46e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
There is really no excuse for not using an SSL certificate. Without one it
would be trivial for an attacker to change the contents of the page via
MITM.
Recent studies have shown MASSIVE abuse of the BGP routing protocol being
used to redirect websites through a third party.
This is not a theoretical attack, it's happening every single day on a
global scale and could be used to divert users to a rogue versions of
software.
It's just a matter of time... it will happen sooner or later given the
incentives it could bring...
Recent references:
http://www.theregister.co.uk/2013/11/22/net_traffic_redirection_attacks/
http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-iceland/
The only way to mitigate these MITMs is to use SSL.
Also it's about time we hosted the Bitcoin Qt software at Github. They have
a releases feature where you can upload a packaged release (see
https://github.com/blog/1547-release-your-software). There are also no
adverts (another privacy leak at the least) and many feel are more
trustworthy than Sourceforge: it also makes sense to have the downloads
where the source is developed.
Regards,
Drak
On 8 December 2013 03:38, Odinn Cyberguerrilla <
odinn.cyberguerrilla@riseup.net> wrote:
> Hello, re. the dedicated server for bitcoin.org idea, I have a few
> thoughts
>
> 1) I have commented in a blogpost of August 2013 at
> https://odinn.cyberguerrilla.org/ with some thoughts relative to possible
> issues with CA related to bitcoin.org - where I mentioned something
> relative to the DigiCert certificate,
> "DigiCert =E2=80=9Cmay revoke a Certificate, without notice, for the reas=
ons
> stated in the CPS, including if DigiCert reasonably believes that=E2=80=
=9D (=E2=80=A6)
> =E2=80=9CApplicant is added to a government list of prohibited persons or=
entities
> or is operating from a prohibited destination under the laws of the Unite=
d
> States=E2=80=9D (=E2=80=A6) =E2=80=9Cthe Private Key associated with a Ce=
rtificate was disclosed
> or Compromised=E2=80=9D"
> In the same post I mentioned
> "Bitcoin.org has no certificate, no encryption =E2=80=94 a situation whic=
h has its
> own obvious problems. Bitcoin.org currently sends users to download the
> bitcoin-qt client from sourceforge. Sourceforge is encrypted and has a
> certificate based on GeoTrust:
> https://www.geotrust.com/resources/repository/legal/"
>
> (Currently (Dec. 7, 2013) bitcoin.org shows as 'not verified' and 'not
> encrypted' examining it in a cursory fashion w/ Chrome)
>
> Not sure how this would work, but it would be nice to see the content at
> bitcoin.org encrypted, of course, but also further decentralized? how man=
y
> mirrors are there of bitcoin.org - not sure, but a few things that come t=
o
> mind when thinking of this are Tahoe-LAFS and also .bit stuff (namecoin).
> There are many ways to decentralize something but that is just something
> that comes to mind.
>
> This has been discussed at https://bitcointalk.org/index.php?topic=3D1631=
2.0
> ('Is Bitcoin.org a weakness of bitcoin?) in the past and see also this
> https://bitcointalk.org/index.php?topic=3D119652.0 which discusses mirror=
ing
> of certain content
>
> Some things to think about.
>
> > I would like to know what are your thoughts on moving bitcoin.org on a
> > dedicated server with a SSL certificate?
> >
> > I am considering the idea more seriously, but I'd like some feedback
> > before taking steps.
> >
> > Sa=C3=AFvann
> >
> >
> -------------------------------------------------------------------------=
-----
> > Sponsored by Intel(R) XDK
> > Develop, test and display web and hybrid apps with a single code base.
> > Download it for free now!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&iu=3D/4140/ostg=
.clktrk
> > _______________________________________________
> > Bitcoin-development mailing list
> > Bitcoin-development@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> >
>
>
>
>
> -------------------------------------------------------------------------=
-----
> Sponsored by Intel(R) XDK
> Develop, test and display web and hybrid apps with a single code base.
> Download it for free now!
>
> http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&iu=3D/4140/ostg=
.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
--001a11c245fa8e815104ed02f46e
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">There is really no excuse for not using an SSL certificate=
. Without one it would be trivial for an attacker to change the contents of=
the page via MITM.<div>Recent studies have shown MASSIVE abuse of the BGP =
routing protocol being used to redirect websites through a third party.</di=
v>
<div>This is not a theoretical attack, it's happening every single day =
on a global scale and could be used to divert users to a rogue versions of =
software.</div><div>It's just a matter of time... it will happen sooner=
or later given the incentives it could bring...</div>
<div><br></div><div>Recent references:</div><div><a href=3D"http://www.ther=
egister.co.uk/2013/11/22/net_traffic_redirection_attacks/">http://www.there=
gister.co.uk/2013/11/22/net_traffic_redirection_attacks/</a><br></div><div>
<a href=3D"http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-i=
celand/">http://www.wired.com/threatlevel/2013/12/bgp-hijacking-belarus-ice=
land/</a><br></div><div><br></div><div>The only way to mitigate these MITMs=
is to use SSL.</div>
<div><br></div><div>Also it's about time we hosted the Bitcoin Qt softw=
are at Github. They have a releases feature where you can upload a packaged=
release (see=C2=A0<a href=3D"https://github.com/blog/1547-release-your-sof=
tware">https://github.com/blog/1547-release-your-software</a>). There are a=
lso no adverts (another privacy leak at the least) and many feel are more t=
rustworthy than Sourceforge: it also makes sense to have the downloads wher=
e the source is developed.</div>
<div><br></div><div>Regards,</div><div><br></div><div>Drak</div><div><br></=
div></div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On =
8 December 2013 03:38, Odinn Cyberguerrilla <span dir=3D"ltr"><<a href=
=3D"mailto:odinn.cyberguerrilla@riseup.net" target=3D"_blank">odinn.cybergu=
errilla@riseup.net</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Hello, re. the dedicated server for <a href=
=3D"http://bitcoin.org" target=3D"_blank">bitcoin.org</a> idea, I have a fe=
w thoughts<br>
<br>
1) I have commented in a blogpost of August 2013 at<br>
<a href=3D"https://odinn.cyberguerrilla.org/" target=3D"_blank">https://odi=
nn.cyberguerrilla.org/</a> with some thoughts relative to possible<br>
issues with CA related to <a href=3D"http://bitcoin.org" target=3D"_blank">=
bitcoin.org</a> - where I mentioned something<br>
relative to the DigiCert certificate,<br>
"DigiCert =E2=80=9Cmay revoke a Certificate, without notice, for the r=
easons<br>
stated in the CPS, including if DigiCert reasonably believes that=E2=80=9D =
(=E2=80=A6)<br>
=E2=80=9CApplicant is added to a government list of prohibited persons or e=
ntities<br>
or is operating from a prohibited destination under the laws of the United<=
br>
States=E2=80=9D (=E2=80=A6) =E2=80=9Cthe Private Key associated with a Cert=
ificate was disclosed<br>
or Compromised=E2=80=9D"<br>
In the same post I mentioned<br>
"Bitcoin.org has no certificate, no encryption =E2=80=94 a situation w=
hich has its<br>
own obvious problems. Bitcoin.org currently sends users to download the<br>
bitcoin-qt client from sourceforge. Sourceforge is encrypted and has a<br>
certificate based on GeoTrust:<br>
<a href=3D"https://www.geotrust.com/resources/repository/legal/" target=3D"=
_blank">https://www.geotrust.com/resources/repository/legal/</a>"<br>
<br>
(Currently (Dec. 7, 2013) <a href=3D"http://bitcoin.org" target=3D"_blank">=
bitcoin.org</a> shows as 'not verified' and 'not<br>
encrypted' examining it in a cursory fashion w/ Chrome)<br>
<br>
Not sure how this would work, but it would be nice to see the content at<br=
>
<a href=3D"http://bitcoin.org" target=3D"_blank">bitcoin.org</a> encrypted,=
of course, but also further decentralized? how many<br>
mirrors are there of <a href=3D"http://bitcoin.org" target=3D"_blank">bitco=
in.org</a> - not sure, but a few things that come to<br>
mind when thinking of this are Tahoe-LAFS and also .bit stuff (namecoin).<b=
r>
There are many ways to decentralize something but that is just something<br=
>
that comes to mind.<br>
<br>
This has been discussed at <a href=3D"https://bitcointalk.org/index.php?top=
ic=3D16312.0" target=3D"_blank">https://bitcointalk.org/index.php?topic=3D1=
6312.0</a><br>
('Is Bitcoin.org a weakness of bitcoin?) in the past and see also this<=
br>
<a href=3D"https://bitcointalk.org/index.php?topic=3D119652.0" target=3D"_b=
lank">https://bitcointalk.org/index.php?topic=3D119652.0</a> which discusse=
s mirroring<br>
of certain content<br>
<br>
Some things to think about.<br>
<div class=3D"HOEnZb"><div class=3D"h5"><br>
> I would like to know what are your thoughts on moving <a href=3D"http:=
//bitcoin.org" target=3D"_blank">bitcoin.org</a> on a<br>
> dedicated server with a SSL certificate?<br>
><br>
> I am considering the idea more seriously, but I'd like some feedba=
ck<br>
> before taking steps.<br>
><br>
> Sa=C3=AFvann<br>
><br>
> ----------------------------------------------------------------------=
--------<br>
> Sponsored by Intel(R) XDK<br>
> Develop, test and display web and hybrid apps with a single code base.=
<br>
> Download it for free now!<br>
> <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&a=
mp;iu=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.ne=
t/gampad/clk?id=3D111408631&iu=3D/4140/ostg.clktrk</a><br>
> _______________________________________________<br>
> Bitcoin-development mailing list<br>
> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-d=
evelopment@lists.sourceforge.net</a><br>
> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-develo=
pment" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitco=
in-development</a><br>
><br>
<br>
<br>
<br>
---------------------------------------------------------------------------=
---<br>
Sponsored by Intel(R) XDK<br>
Develop, test and display web and hybrid apps with a single code base.<br>
Download it for free now!<br>
<a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D111408631&iu=
=3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam=
pad/clk?id=3D111408631&iu=3D/4140/ostg.clktrk</a><br>
_______________________________________________<br>
Bitcoin-development mailing list<br>
<a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo=
pment@lists.sourceforge.net</a><br>
<a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development=
" target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de=
velopment</a><br>
</div></div></blockquote></div><br></div>
--001a11c245fa8e815104ed02f46e--
|