On Wed, Sep 25, 2013 at 01:35:48PM +0200, Melvin Carvalho wrote:
> On 25 September 2013 13:15, Mike Hearn <mike@plan99.net> wrote:
> 
> > It won't fit. But I don't see the logic. A URI contains instructions for
> > making a payment. If that instruction is "pay to this address" or "download
> > this file and do what you find there", it's no different unless there's
> > potential for a MITM attack. If the request URL is HTTPS or a secured
> > Bluetooth connection then there's no such possibility.
> >
> 
> It depends on the attacker.  I think a large entity such as a govt or big
> to medium size corporation *may* be able to MITM https, of course the
> incentive to do so is probably not there ...

...until the Bitcoin payment protocol showed up and let anyone with the
ability to MITM https turn that ability into untraceable cash.

I won't be at all surprised if one of the most valuable things to come
out of the payment protocol using the SSL PKI infrastructure is to give
us a good understanding of exactly how it's broken, and to give everyone
involved good reasons to fix it.

Even if the flaws of SSL PKI were exploited as a way to harm bitcoin by
governments and other large players - and SSL PKI remained unfixed - I'd
much rather have that solid evidence that it was broken than not.

-- 
'peter'[:-1]@petertodd.org