Author

Topic: bitcoin client authentication (Read 984 times)

member
Activity: 95
Merit: 10
February 12, 2013, 03:21:37 AM
#5
I think you may have mis-read my post.

My thesis is that there is not enough guidance on security-hygiene concerning client impersonation.

My suggestion of the blockchain-fingerprint is a potential solution to the problem.  Whether or not it is feasible in that form does not detract from the validity of the thesis.

What the suggestion implies is that there may be a better solution than expecting users to validate clients directly.

Apologies if this is not how you had interpreted my post.
legendary
Activity: 1072
Merit: 1181
February 11, 2013, 04:44:03 PM
#4
What would be really good, would be a client feature that it has to handshake with the mining network, and some tiny fingerprint appear in the block-chain that can then be viewed from a trusted site.  You then know that your client is a real one.

You want the client to validate itself, and tell you has verified it is authentic?

Do you think that someone who distributes a malicious version won't just make it skip that check?
member
Activity: 95
Merit: 10
February 11, 2013, 01:57:56 PM
#3
my worry is that folk won't bother with this.

we need something more convenient for Joe Public.
legendary
Activity: 1526
Merit: 1134
February 11, 2013, 01:01:46 PM
#2
From Bitcoin 0.8 onwards the binaries for Windows and MacOS will be signed by Bitcoin Foundation code-signing certificates. So you can check that using the standard methods your operating system provides. For Linux there are GPG signed builds available. For Android, wallet apps are code-signed by their creators.
member
Activity: 95
Merit: 10
February 11, 2013, 08:56:39 AM
#1
How do we know that the client we are using (eg bitcoin-qt) is authentic and not an impersonator ?

Obviously we can download the source-code , and check the signature as published on bitcoin.org

When I download from source-forge, it is not over HTTPS  -- so I cannot rely on this.


There are no instructions / suggestions for doing this on bitcoin.org.

Maybe some instructions and possibly an HTTPS download site ?


What would be really good, would be a client feature that it has to handshake with the mining network, and some tiny fingerprint appear in the block-chain that can then be viewed from a trusted site.  You then know that your client is a real one.


The problem I am imagining is that someone impersonates the client software, and uses this to gain access to the wallet keys.

As bitcoin becomes more mainstream, the security-knowhow of the average user will drop,  a spoofed client would be terrible news.



Jump to: