On 8 December 2013 20:50, Gregory Maxwell <gmaxwell@gmail.com> wrote:

Sadly this isn't true: There are (many) CAs which will issue a

certificate (apparently sometime within minutes, though last
certificate I obtained took a couple hours total) to anyone who can
respond to http (not https) requests on behalf of the domain from the
perspective of the CA.

Simple verification relies on being able to answer the email sent to the person in the whois records, or standard admin/webmaster@ addresses to prove ownership of the domain. This is a good point to note - bitcoin.org should not get a simple certificate, but one that requires identify verification for the person/org who is applying. They are more expensive.

This means you can MITM the site, pass all traffic through except the
HTTP request from the CA, and start intercepting once the CA has
signed your certificate. This works because the CA does nothing to
verify identity except check that the requester can control the site.

If you'd like to me to demonstrate this attack for you I'd be willing—
I can provide a proxy that passes on :80 and :443, run your traffic
through it and I'll get a cert with your domain name.

You cannot MITM SSL connections - it will cause a browser warning.

I do not have the means, but it has been demonstrated some people are performing BGP redirections, daily, and on a massive scale... and it's a problem, because BGP was designed on implicit trust.

I'm sorry for the tangent here— I think this sub-discussion is really
unrelated to having Bitcoin.org behind SSL— but "someone is wrong on
the internet", and its important to know that SSL hardly does anything
to reduce the need to check the offline signatures on the binaries.

You are right that the CA system is not full-proof, one CA was caught issuing a bogus certificate on purpose a while back, I forgot the name but it resulted in CA certificate revokation and the entire company being blacklisted from Firefox and Google Chrome forever - basically a summary corporate execution. I personally imagine the CIA or other state actor could just quietly buy up an already trusted CA and abuse them. But it's clear, people are watching, and if a CA is caught once, that's the end of their business forever: Firefox and Google demonstrated that. The strategy is possibly too expensive and risky to carry off which is maybe why they don't do it.

What has been noted with all the Snowden leaks, and with the Lavabit case, the security agencies did not get bogus certificates issued, they still got court orders, or other deception to get hold of the encryption certificates of their targets instead of issuing their own so they could listen in.

The CA system is not full proof, but it is what we have. Similar arguments have been made against the use of identity certificates for bitcoin, but that hasnt stopped it's inclusion in the bitcoin payment protocol.

Anyway, I take your points, but this is an area I am quite passionate about so it's important for me to be clear.

Regards,

Drak