Author: Peter Todd 2014-03-22 18:21:53
Published on: 2014-03-22T18:21:53+00:00
On March 22, 2014, Mike Hearn shared a blog post on PGP imposters that are creating fake PGP keys to sign popular pieces of crypto software. This could be used to make a MITM attack look more legitimate, possibly by an intelligence agency. If someone is using PGP to verify Bitcoin downloads, it is essential to check if they are using the correct key. It is important to note that Bitcoin source and binary downloads are protected by both the PGP WoT and the certificate authority PKI system. The binaries are hosted on bitcoin.org, which is https and protected by the PKI system, and the source code is hosted on GitHub, again, https protected. A MITM attack would need to compromise the PKI system as well, provided users aren't fooled into downloading over http.
Updated on: 2023-06-08T15:41:14.514718+00:00