Dedicated server for bitcoin.org, your thoughts? [combined summary]


Individual post summaries: Click here to read the original discussion on the bitcoin-dev mailing list

Published on: 2014-01-04T01:43:36+00:00

Summary:

In a series of discussions, the security and integrity of Bitcoin software were explored. One key topic was the importance of checking hash values to prevent attackers from replacing parts of files. Package management systems like apt-secure were seen as useful in ensuring the integrity of software packages at the operating system level. However, there were doubts about the feasibility of binaries checking their own hash. The group concluded that promoting the use of signed .deb packages and secure package management systems would be a better approach to security.Another area of discussion was the security of Bitcoin protocol updates. Suggestions included deterministic builds, threshold signed updates, and using the blockchain for forward-validation. SSL and trusted automatic update notification were also considered. Concerns were raised about the verification of hashes in Bitcoin downloads, particularly the differences between the hashes signed by individuals and the hashes of files hosted on SourceForge. Various solutions were proposed, such as patching signatures onto gitian builds or using gitian-downloader for verifying signatures.The security and control of the bitcoin.org domain were also discussed. There were concerns about the effectiveness of SSL in protecting against attackers intercepting traffic to the server. Some argued that PGP signatures could provide stronger protection. Ownership and administration of the domain were debated, with suggestions to separate it from Github and involve the Bitcoin Foundation. Anonymity in domain registration and trust in the current registrar were also points of concern.The funding, administration, and DNS control of bitcoin.org were addressed. Suggestions were made for the Bitcoin Foundation to fund the website, but clear separation between the foundation's website and bitcoin.org was emphasized. The importance of anti-DoS measures, identifying a trustworthy administrator, and maintaining control over the domain were highlighted.The question of who should have admin rights to code projects on platforms like Github and SourceForge was raised. Some argued for giving admin rights to those who have proven trustworthiness, while others emphasized the need for decentralization and control by multiple individuals. Concerns were raised about having too many important elements of the Bitcoin project under one entity's control.The security of SSL certificates was a topic of discussion, with concerns about MITM attacks and the limitations of the CA system. The importance of offline signature verification on binaries was emphasized. Decentralization and clear ownership over key aspects of the Bitcoin project, such as admin rights, DNS control, and website hosting, were also points of concern.In a separate thread, concerns were expressed about CAs in relation to bitcoin.org. The suggestion of moving the website to a dedicated server with an SSL certificate was discussed to address the lack of encryption and potential issues with CAs. Other concerns about forward secrecy, binaries hosting/sharing, revocation, and decentralization were raised. The idea of using mirrors or other methods to further decentralize the content of bitcoin.org was proposed.Overall, the discussions highlighted the importance of verifying hash values, integrating cryptography with mainstream use, and ensuring the security and reliability of the bitcoin.org website. Various solutions and approaches were proposed, emphasizing the ongoing efforts to enhance the security of Bitcoin software.

Updated on: 2023-08-01T06:48:14.987945+00:00