Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Fri, Jan 03, 2014 at 07:21:17PM +0100, Jorge Timón wrote: > On 1/3/14, Troy Benjegerdes wrote: > > 'make' should check the hash. > > An attacker could replace that part of the makefile. > Anyway, I think this is more oriented for compiled binaries, not for > people downloading the sources. I a

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 1/3/14, Troy Benjegerdes wrote: > 'make' should check the hash. An attacker could replace that part of the makefile. Anyway, I think this is more oriented for compiled binaries, not for people downloading the sources. I assume most of that people just use git. > The binary should check it's o

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Fri, Jan 03, 2014 at 09:59:15AM +, Drak wrote: > On 3 January 2014 05:45, Troy Benjegerdes wrote: > > > On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote: > > > On Tue, Dec 31, 2013 at 5:39 AM, Drak wrote: > > > > The NSA has the ability, right now to change every download o

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

You know if you want to make some form of investment, you might like make an attempt to look them up on the internet, check the phone number in a phone book or directory enquiries, look for references and reviews? So it is with the hash of the binary you are about to trust with your investment fun

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Fri, Jan 3, 2014 at 9:59 AM, Drak wrote: > Which is why, as pointed out several times at 30c3 by several renowned > figures, why cryptography has remained squarely outside of mainstream use. > It needs to just work and until you can trust the connection and what the > end point sends you, auto

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 3 January 2014 05:45, Troy Benjegerdes wrote: > On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote: > > On Tue, Dec 31, 2013 at 5:39 AM, Drak wrote: > > > The NSA has the ability, right now to change every download of > bitcoin-qt, > > > on the fly and the only cure is encryption

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Tue, Dec 31, 2013 at 05:48:06AM -0800, Gregory Maxwell wrote: > On Tue, Dec 31, 2013 at 5:39 AM, Drak wrote: > > The NSA has the ability, right now to change every download of bitcoin-qt, > > on the fly and the only cure is encryption. No, the only cure is the check the hashes. We should know

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 12/31/13, Mike Hearn wrote: > remember suggesting that we whack Google Analytics or > some other statistics package on when the new website design was done and > that was rejected for similar reasons ("organisations are bad"). Analytics software would be useful. I suggest using Piwik or anoth

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > Oh, it did? When was that? I must have missed this excitement :) >> > I would be very interested to learn more about this. It seems the steady state load on the site is not very high: https://github.com/bitcoin/bitcoin.org/pull/287 (Saivann ran Google Analytics on the site for a little while

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

That seems overly complicated, there's no need for the Bitcoin protocol to be involved. Deterministic builds with threshold signed updates are a problem the entire crypto community is now interested in solving - any solution should be generic. Really all you need is an update engine that allows a

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > In any case, I think wallet users want to know when an upgrade is > available, and ability to click an 'update' button get a binary they can > trust. It's not a problem unique to bitcoind, deterministic builds are > awesome, but I don't think fully solve it. > Deterministic builds are one part

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

So I looked into gitian, the first thing I noticed was the hashes that people were signing, for example: https://github.com/bitcoin/gitian.sigs/blob/master/0.8.6-win32/gavinandresen/bitcoin-build.assert don't match the hash of the file 'bitcoin-0.8.6-win32-setup.exe' actually hosted by s

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

We already have a wonderful system for secure updating - gitian-downloader. We just neither use it not bother making actual gitian releases so anyone can use it to verify signatures of downloads. Jeremy Spilman wrote: >I didn't know about the dedicated server meltdown, it wasn't any of my > >i

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I didn't know about the dedicated server meltdown, it wasn't any of my infra. Anyway, my previous offer still stands.One less 'security theater' approach would be if we could provide forward-validation of updates using the blockchain. It's always going to be up to the user the first time they inst

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > The site was actually moved onto a dedicated server temporarily and it > melted down under the load. I wouldn't call that no progress. > Oh, it did? When was that? I must have missed this excitement :) Any idea how much load it had? Perhaps I wasn't clear on the point I was making Drak's thr

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Tue, Dec 31, 2013 at 5:59 AM, Mike Hearn wrote: > but moving to different ones is > controversial, hence no progress :) The site was actually moved onto a dedicated server temporarily and it melted down under the load. I wouldn't call that no progress. Perhaps I wasn't clear on the point I w

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Interesting. I think the original BitDNS discussion was more interesting that what currently is happening with namecoin, see https://bitcointalk.org/index.php?topic=1790.0 Satoshi said there: "1) IP records don't need to be in the chain, just do registrar function not DNS. And CA problem solved,

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Given that hardly anyone checks the signatures, it's fair to say downloads aren't protected by anything at the moment. SSL for downloads can only raise the bar, never lower it, and if the NSA want to kick off the process of revoking some of the big CA's then I'm game (assuming anyone detects it of

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Tue, Dec 31, 2013 at 5:39 AM, Drak wrote: > The NSA has the ability, right now to change every download of bitcoin-qt, > on the fly and the only cure is encryption. Please cut it out with the snake oil pedaling. This is really over the top. You're invoking the NSA as the threat here? Okay. The

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Has anyone seen the talk at 30c3 on the current NSA capabilities? https://www.youtube.com/watch?v=b0w36GAyZIA Specifically they are able to "beat the speed of light" between you and a website such that if you communicate with Bob, they can sent competing packets that will arrive before Bob's packe

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I think the one thing that SSL does provide is some protection against ARP or DNS poisoning to trick the user into downloading from a different site. The PGP WoT surrounding bitcoin or OS related ISOs be weak - I am not sure if I could even check it directly myself despite spending a few hours tra

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I've been lurking on this convo since it began, but I wanted to say thanks, theymos cheers to you all and yay for decentralization, wherever it leads. -odinn muh latest: http://github.com/ABISprotocol/ABIS > On Sun, Dec 8, 2013, at 03:11 PM, Drak wrote: > > It's not just about trust, there is th

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> The bitcoin.org domain is controlled by me, Sirius, and an anonymous > person. Control will not be lost if Sirius becomes unavailable. I know this will be a controversial viewpoint in some quarters, but I'm not a fan of anonymity, or of pseudonyms. As far as I know (please correct me if I'm wro

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I can provide the server hardware and colocation (space, power, and bandwidth) if dedicated 50Mbit in 55 S. Market, San Jose, CA data center is acceptable.If it needs more bandwidth than that, in a few months I hope to be getting space in LA with 1Gbit, but I can't commit to that now.On Sun, Dec 8

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 8:03 PM, Mike Hearn wrote: > I bring this up because of the recent bitcointalk fiasco. AFAIK the domains > are registered and controlled in the same way. It's likely that the current > registrar isn't very secure. I registered bitcointalk.org originally, then passed along c

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > 4) Who admins it? > > Obviously, I thought it would be important that the server is owned by > someone who can be trusted, with ssh access for all core developers. > > > That is a really bad idea. If there is not a CLEAR answer to "who > admins it", there will be a bunch of "I t

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Maybe bitcointalk.org would like to donate a few BTC from the 6,000 BTC "new forum" fund to sponsor hosting? On Dec 8, 2013, at 5:51 PM, theymos wrote: > I'm sure that you can find a sponsor for a dedicated server. -

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Have you considered black lotus dedicated servers? On 12/08/2013 03:16 PM, Saïvann Carignan wrote: >> Issues that would need to be resolved: >> >> 1) Who pays for it? Most obvious answer: Foundation. However there's >> currently a fairly clear line between the foundation website and the >> bitcoin

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013, at 03:11 PM, Drak wrote: It's not just about trust, there is the robustness factor: what if he becomes sick, unavailable, hit by a bus? Others need the ability to pickup and run with it. The control over the domain (including ability to renew registration, alter nameservers) n

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sunday, December 08, 2013 9:16:09 PM Saïvann Carignan wrote: > > 1) Who pays for it? Most obvious answer: Foundation. However there's > > currently a fairly clear line between the foundation website and the > > bitcoin.org website. I personally am fine with the > > bitcoin f

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> That's an interesting question. The bitcoin.org domain is hiding > behind a WhoisGuard anonymous registration. Why are we not allowed to > know who this domain belongs to? Why are we being asked to trust some > unidentified party? It's done that way because it was originally registered by Sa

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, 8 Dec 2013 13:14:44 -0800, Gregory Maxwell wrote: > On Sun, Dec 8, 2013 at 1:07 PM, Drak wrote: >> Simple verification relies on being able to answer the email sent to >> the >> person in the whois records, or standard admin/webmaster@ addresses >> to prove >> ownership of the domain > >

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > > 4) Who admins it? > > Obviously, I thought it would be important that the server is owned by > someone who can be trusted, with ssh access for all core developers. > That is a really bad idea. If there is not a CLEAR answer to "who admins it", there will be a bunch of "I thought YOU were ap

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> > 5) Who controls DNS for it? > > I'm not sure we'll get any change on this level. I have no idea if the > domain is in good hands, except for the fact that nothing bad happened > thus far. If anything, moving it to core developers (as intended when > the domain was registered) would make more s

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I too would be against the foundation taking control of hosting or the domain. I have no reason at this time not to trust them, by checks and balances are a good thing. On Dec 8, 2013 12:29 PM, "Mike Hearn" wrote: > Issues that would need to be resolved: > > 1) Who pays for it? Most obvious answe

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

> Issues that would need to be resolved: > > 1) Who pays for it? Most obvious answer: Foundation. However there's > currently a fairly clear line between the foundation website and the > bitcoin.org website. I personally am fine with the > bitcoin foundation funding the websi

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 1:07 PM, Drak wrote: > Simple verification relies on being able to answer the email sent to the > person in the whois records, or standard admin/webmaster@ addresses to prove > ownership of the domain Godaddy and many other CA's are verified from nothing other than a http f

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 8 December 2013 21:01, Luke-Jr wrote: > On Sunday, December 08, 2013 8:51:07 PM Drak wrote: > > Otherwise, who has admin rights to the code projects > > (github/sourceforge/this mailing list)? Those people have proven they can > > be trusted so far. > > Can someone explain how Sirius has prove

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 12:51 PM, Drak wrote: > What do you suggest though? We will need to trust someone (even in a group > each person can act autonomously). > The only thing I can suggest would be to hand the keys to the bitcoin > project lead. > > Otherwise, who has admin rights to the code pro

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 8 December 2013 20:50, Gregory Maxwell wrote: > Sadly this isn't true: There are (many) CAs which will issue a > certificate (apparently sometime within minutes, though last > certificate I obtained took a couple hours total) to anyone who can > respond to http (not https) requests on behalf

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sunday, December 08, 2013 8:51:07 PM Drak wrote: > Otherwise, who has admin rights to the code projects > (github/sourceforge/this mailing list)? Those people have proven they can > be trusted so far. Can someone explain how Sirius has proven the least bit untrustworthy? Luke

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 8 December 2013 20:40, Gregory Maxwell wrote: > On Sun, Dec 8, 2013 at 12:28 PM, Mike Hearn wrote: > > Right now I think Sirius still owns DNS for bitcoin.org which is > nonsense. > > He needs to pass it on to someone who is actually still involved with the > > project. Again, the most obviou

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 12:40 PM, Drak wrote: > Let me clarify. SSL renders BGP redirection useless because the browser > holds the signatures of CA's it trusts: an attacker cannot spoof a > certificate because it needs to be signed by a trusted CA: that's the point > of SSL, it encrypts and proves

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 8 December 2013 19:25, Gregory Maxwell wrote: > On Sun, Dec 8, 2013 at 11:16 AM, Drak wrote: > > BGP redirection is a reality and can be exploited without much > > You're managing to argue against SSL. Because it actually provides > basically protection against an attacker who can actively in

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 12:28 PM, Mike Hearn wrote: > Right now I think Sirius still owns DNS for bitcoin.org which is nonsense. > He needs to pass it on to someone who is actually still involved with the > project. Again, the most obvious neutral candidate would be the Foundation. I am opposed to

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Issues that would need to be resolved: 1) Who pays for it? Most obvious answer: Foundation. However there's currently a fairly clear line between the foundation website and the bitcoin.org website. I personally am fine with the bitcoin foundation funding the website, it's a lot closer to the bitco

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 11:16 AM, Drak wrote: > BGP redirection is a reality and can be exploited without much You're managing to argue against SSL. Because it actually provides basically protection against an attacker who can actively intercept traffic to the server. Against that threat model SSL

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On 8 December 2013 12:37, Luke-Jr wrote: > Encryption is useless here. We want everyone to be able to download Bitcoin > clients. Binaries on sourceforge are signed by multiple parties using > gitian. > > > Decentralization: > > So long as we actually use DNS, the website is centralized :( Howeve

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 2:00 AM, Drak wrote: > There is really no excuse for not using an SSL certificate. Without one it > would be trivial for an attacker to change the contents of the page via > MITM. Having control of the site gives you a cert regardless, as several CAs will issue a cert to an

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sun, Dec 8, 2013 at 2:17 AM, Saïvann Carignan wrote: > I would like to know what are your thoughts on moving bitcoin.org on a > dedicated server with a SSL certificate? > Good idea. If anything, these days, not using https is sort of a smell for sites that security is not being taken seriousl

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sunday, December 08, 2013 10:00:35 AM Drak wrote: > Also it's about time we hosted the Bitcoin Qt software at Github. They have > a releases feature where you can upload a packaged release (see > https://github.com/blog/1547-release-your-software). There are also no > adverts (another privacy le

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

On Sunday, December 08, 2013 9:03:38 AM Saïvann Carignan wrote: > Binaries: > Sourceforge is not encrypted, actually. Although binaries hosting / > sharing could be a separate subject discussed later I think. Encryption is useless here. We want everyone to be able to download Bitcoin clients. Bin

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

There is really no excuse for not using an SSL certificate. Without one it would be trivial for an attacker to change the contents of the page via MITM. Recent studies have shown MASSIVE abuse of the BGP routing protocol being used to redirect websites through a third party. This is not a theoretic

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Forward secrecy: I was definitively already interested in using this. Binaries: Sourceforge is not encrypted, actually. Although binaries hosting / sharing could be a separate subject discussed later I think. Revocation: I guess we could just buy another SSL cert from another CA (I mean, if that

Re: [Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Hello, re. the dedicated server for bitcoin.org idea, I have a few thoughts 1) I have commented in a blogpost of August 2013 at https://odinn.cyberguerrilla.org/ with some thoughts relative to possible issues with CA related to bitcoin.org - where I mentioned something relative to the DigiCert cer

[Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

I would like to know what are your thoughts on moving bitcoin.org on a dedicated server with a SSL certificate? I am considering the idea more seriously, but I'd like some feedback before taking steps. Saïvann -- Sponsor