On Sat, Mar 22, 2014 at 06:03:03PM +0100, Mike Hearn wrote: > In case you didn't see this yet, > > http://gavintech.blogspot.ch/2014/03/it-aint-me-ive-got-pgp-imposter.html > > If you're using PGP to verify Bitcoin downloads, it's very important that > you check you are using the right key. Someone seems to be creating fake > PGP keys that are used to sign popular pieces of crypto software, probably > to make a MITM attack (e.g. from an intelligence agency) seem more > legitimate.
Note that Bitcoin source and binary downloads are protected by both the PGP WoT and the certificate authority PKI system. The binaries are hosted on bitcoin.org, which is https and protected by a the PKI system, and the source code is hosted on github, again, https protected. A MITM attack would need to compromise the PKI system as well, at least provided users aren't fooled into downloading over http. -- 'peter'[:-1]@petertodd.org 0000000000000000657de91df7a64d25adfd3ff117bc30d00f5aa3065894f4a5
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech
_______________________________________________ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
