[Bitcoin-development] Dedicated server for bitcoin.org, your thoughts?

Gregory Maxwell gmaxwell at gmail.com
Sun Dec 8 16:51:50 UTC 2013


On Sun, Dec 8, 2013 at 2:00 AM, Drak <drak at zikula.org> wrote:
> There is really no excuse for not using an SSL certificate. Without one it
> would be trivial for an attacker to change the contents of the page via
> MITM.

Having control of the site gives you a cert regardless, as several CAs
will issue a cert to anyone who can make a http page appear at a
specific URL at the domain when requested via the CA over http.

It really is darn near pretextual security in this kind case— only
protecting you against attacks near the client, not the server— but as
Wladimir says, it's expected and I don't see how it would be a harm.

The revocation argument is somewhat interesting, especially since any
such site should use HSTS or otherwise a downgrade attack is trivial.




More information about the bitcoin-dev mailing list