Serve bitcoin.org over TLS (https)

[hickford]

The Bitcoin threat model assumes 'the user has obtained an authentic copy of the software'.

This user would be more confident if bitcoin.org and the downloads were served over TLS .

Right now neither bitcoin.org nor the downloads or checksums are served over https and are thus vulnerable to man-in-the-middle attack .

• http://bitcoin.org/en/
• http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.8.5/SHA256SUMS.asc/view

[luke-jr]

HTTPS is a centrally-trusted system.
bitcoin.org is also a centrally operated and maintained website.

Use the gitian signatures to verify downloads. Trust neither HTTPS nor bitcoin.org.

[hickford]

That's true, a MITM in collusion with a certificate authority can attack https (though the CA might be caught later).

But https is still worthwhile--it is thought to protect against less powerful MITM (eg. Joe Blackhat running a Tor exit node).

Just read about Gitian:

Gitian is a secure source-control oriented software distribution method. This means you can download trusted binaries that are verified by multiple builders.

Gitian uses a deterministic build process to allow multiple builders to create identical binaries. This allows multiple parties to sign the resulting binaries, guaranteeing that the binaries and tool chain were not tampered with and that the same source was used. It remove the build and distribution process as a single point of failure.

That's very cool, but still the majority of users install Bitcoin (exactly like other software) by downloading binaries from the web. The norm to secure this is to host the downloads on https. Exactly how secure this is, only time will tell, but we can hope it's better than nothing.

[saivann]

I agree that https is better (while not a replacement for gitian / PGP signatures).

However, there is just no such a thing as a long-term funded DDoS protected dedicated server under control of core developers with enough bandwidth to serve binary files. I am also not aware if sourceforge can be replaced that easily for developers, or if sirius would be available to update the DNS.

[saivann]

Closing this issue; bitcoin.org is now served over https

[hickford]

Good work. Consider deploying HSTS to frustrate SSL stripping
https://www.imperialviolet.org/2012/07/19/hope9talk.html

On 2 February 2014 23:01, saivann notifications@github.com wrote:

Closing this issue; bitcoin.org is now served over https

—
Reply to this email directly or view it on GitHubhttps://github.com/bitcoin/bitcoin.org/issues/253#issuecomment-33916250
.

[luke-jr]

HSTS seems to break plain-old-HTTP access, without adding any real security.