Hello,
I was a bit alarmed by these two posts some weeks ago:
In the first case, basically somebody registered a PGP key which at first glance looked like the signing key from Gavin Andresen. Such a key could be used to sign malware which appears as the true bitcoin client. This would only be detected if people check carefully. If people do NOT check it - maybe rushing in a situation where the network needs a quick fix - the consequences could be truly disastrous.
In the second case, the Electrum website was actually faked to distribute malware which was camouflaged as the Electrum client. If people install such a client, it could send their bitcoins anywhere - this kind of attack can really cause a lot of grief, too.
Note that in some simple setups, it might be possible to recognize the faked web site by its address, but in other cases, this will not be possible - think of insidious attacks on home routers or exploits of the recent Apple "goto" bug, which essentially disables SSL protection.
In these cases, and whenever youinstall bitcoin software, it is always important to check for digital signatures of the maintainers, which can warrant the authenticity of the code. And, doing this properly includes verification of their keys.
To make it short, I was newly installing Electrum and I decided to do it right and to look after the digital signatures and whether the signatures properly certified in a web of trust. Now, trust paths can be looked up by databases like these:
It works so that in the "from" field, you enter YOUR key ID (which needs to be connected to the web of trust graph). In the "to" field, you enter the key ID of the signing key for the software. Now, you should be able to find at least one trust path from you to the signing key for the software. For example, if Mark Shuttleworth wants to verify the key of Gavin Andresen, he enters his key ID: D54F0847 into the "from" field, and Gavin's key - 1FC730C1 - into the "to" field. This will look as here:
The trouble is, if Mark looks up the key for ThomasV, this looks so:
that is currently, no trust paths to ThomasV's key are found. The same is true for Jim Burton, maintainer of Multibit.
In other words, ThomasV's key cannot be verified, if somebody does not has other means. Well, somebody could look into the bitcoin forum - but first, the forum can be and has been hacked. And second, a forum identity does not mean much. Pirateat40 had an account, too, as well as the owner of bitcoinica.
I do not suspect the developers of working in an evil plot, but honestly, I'd really like to know a bit more.
Now, I have a few questions:
Who knows ThomasV ? Can a few prominent GPG users from the Bitcoin community who know him kindly sign his key and connect him to the larger web-of-trust ? Otherwise, it would be much more difficult to thwart attacks like against Gavin.
What do we know about Electrum's (and MultiBit's) developers? What is actually their expertise? Doing crypto well is damn hard. Why should we assume that the have the technical astuteness to move many many coins around safely?
Bitcoin-qt has been audited many many times by knowledgeable people. Has the Electrum source code been audited as well? To which degree? Has it been audited at all?
Thanks!
submitted by DrunkRaven
[link] [15 commentaires]
from Bitcoin http://ift.tt/1ofwjcJ
Aucun commentaire:
Enregistrer un commentaire