On Mon, May 06, 2013 at 12:20:12PM -0400, Jeff Garzik wrote:
> > Security will be no worse than before - if any one server/seed is honest
> > you're ok - and hopefully better due to the accountability. Obviously
> 
> Indeed, the DNS seeds are just servers run by trusted individuals anyway.

Yup, and lets be really clear here: what I'm saying about existing DNS
seeds selecting peers from a wider pool isn't to fundementally reduce
the trust in those seeds, it's to reduce the amount of effort the people
*running* the seeds need to expend to return safe results.

> In either case, bitcoinj definitely wants fixing for its over-reliance
> on DNS seeds.  This has been noted as a problem for a while.

Anyway, DNS returns unsigned data usually - DNSSEC is not widely
implemented - so at least an alternative seed system with SSL certs
could provide a way of getting results from the seed to you in the first
place with a different set of vulnerabilities.  (I'm not going to say
it's really more secure - your ISP can MITM your connections to those
remote nodes anyway - but the types of attacks are at least different)

Speaking of, off-topic for this discussion, but in the future
node-to-node communicate should be encrypted and signed, and seeds
should have a mechanism to return the pubkey the node will use for
communication. This would protect against your ISP MITM attacking your
communications with every node. Of course, Tor hidden service nodes do
this already essentially.

-- 
'peter'[:-1]@petertodd.org
000000000000001882c602178bd4dc6501ecd65db1e1380224be98c923043c07