Author: Gregory Maxwell 2013-03-03 20:02:24
Published on: 2013-03-03T20:02:24+00:00
In an email conversation, Roy Badami suggested having a secure page at bitcoin.org instead of having to go to Github, and recommended getting certificates from Namecheap. He also proposed having a secure page on bitcoin.org containing the MD5 hashes of the binaries for those who are "too lazy (not paranoid enough)" to use GPG. However, it was pointed out that an HTTPS page is not a replacement for GPG as anyone who can MITM the server can easily obtain a fraudulent certificate with moderate cost and time. This is due to the fact that many CAs verify authority by having users place a file at an HTTP path on the domain in question. The current CA model only prevents interception by those who cannot intercept traffic generally and only helps with the evil hotspot/tor_exit problem.
Updated on: 2023-05-19T16:33:22.275476+00:00