Author

Topic: "This connection is untrusted" - bitaddress.org (Read 2087 times)

legendary
Activity: 1512
Merit: 1036
November 18, 2013, 04:19:27 PM
#10
download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB

So I did a bit of googling/youtubing and know how I can check the md5 hash and sha1 hash of a file. Only problem is, I don't see any hash in the readme file or anywhere else. Where is the hash found? 

And what file should I be hashing?  The bitaddress.org.html file?  The zip file?
Obviously incomplete advice, you also need to verify the signature of the file containing hashes.

The URL is redirected when loading off bitaddress.org to include a release and SHA1:
https://www.bitaddress.org/bitaddress.org-v2.6.2-SHA1-4d98755d7e78caa4361228a2b11b0faa0f65e6de.html

"release notes" is signed by "ninja" using PGP, and contains a SHA-1 hash of each "release":
https://www.bitaddress.org/pgpsignedmsg.txt

However, the private key for ninja is also only found on the web page, I don't see an MIT link, etc:
https://www.bitaddress.org/ninja_bitaddress.org.txt

This means that all content on the website could be diligently replaced by a hacker with no means of detection.

When you download from github to your drive and then load the file in your browser:

https://raw.github.com/pointbiz/bitaddress.org/master/bitaddress.org.html

and then verify the signature and hash provided on bitaddress.org, at least then both sites have to agree on the same SHA1 hash. You can also see when the bitaddress.org.html was last modified, and review the commits to see what changed, such as the last one five days ago:
https://github.com/pointbiz/bitaddress.org/commit/ef1d9614f1c9f11598a603e965f0cbaa7d2f3314

Another question: in bitaddress, under paper wallet, I should be able to bash my keyboard to generate a sufficiently random key pair, right?  I.e., I don't have to roll a die a hundred times or whatever.
You didn't see the instructions "move your mouse around to generate some extra randomness" when you loaded the page?
legendary
Activity: 1040
Merit: 1001
Another question: in bitaddress, under paper wallet, I should be able to bash my keyboard to generate a sufficiently random key pair, right?  I.e., I don't have to roll a die a hundred times or whatever.
legendary
Activity: 1040
Merit: 1001
So I did a bit of googling/youtubing and know how I can check the md5 hash and sha1 hash of a file. Only problem is, I don't see any hash in the readme file or anywhere else. Where is the hash found? 

And what file should I be hashing?  The bitaddress.org.html file?  The zip file?

download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB
legendary
Activity: 2058
Merit: 1452
download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, verify the file hash on the ubuntu machine, then run the bitaddress file from separate USB
legendary
Activity: 1040
Merit: 1001
Thanks guys!  I'm being super paranoid, but how should I download that file?

1) download in Windows from github, put on separate USB, then boot via Ubuntu USB, leave Internet unconnected, then run the bitaddress file from separate USB?

Or

2) Boot via Ubuntu, connect to internet, download from github, disconnect from Internet, then run bitaddress file?
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
The bitaddress page should be downloaded from the repository and run offline in just about every scenario one can envision:
https://github.com/pointbiz/bitaddress.org

Yes - do this (same goes for brainwallet.org).

To download just click on the "Download ZIP" button on the right side of the page.
legendary
Activity: 1512
Merit: 1036
The site is signed by Comodo CA, which is a less trusted certificate authority (out of over 1000 CA's that your browser gives blind trust to). It is possible that the distro has decided to remove the trust, as others have advocated removing it's trust since they were able to get that CA to issue certificates for domains they don't own, including Mozilla's own site.

http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/
https://blog.startcom.org/?p=145

The bitaddress page should be downloaded from the repository and run offline in just about every scenario one can envision:
https://github.com/pointbiz/bitaddress.org
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
Just be sure that you save the web page for "offline" usage (which is the only way you should use this kind of website) and disconnect the internet before using the "offline" version (making sure that it won't somehow get automatically connected when doing so).
full member
Activity: 140
Merit: 100
I'm trying to create a paper wallet. I made a Ubuntu boot USB. I booted via said USB. i connected to my home wireless network by entering pass code.

I started Firefox and searched for "bitaddress". First result was bitaddress.org. When I clicked, I received a warning, "This connection is untrusted".  I clicked "add exception". It asked something like "are you sure?"  I freaked out and closed the browser.

Is this normal?

Keep in kind that I'm computer illiterate and have never used Ubuntu before.
Click yeah. The cert might probably be using self signed one. What does the certificate says?
legendary
Activity: 1040
Merit: 1001
I'm trying to create a paper wallet. I made a Ubuntu boot USB. I booted via said USB. i connected to my home wireless network by entering pass code.

I started Firefox and searched for "bitaddress". First result was bitaddress.org. When I clicked, I received a warning, "This connection is untrusted".  I clicked "add exception". It asked something like "are you sure?"  I freaked out and closed the browser.

Is this normal?

Keep in kind that I'm computer illiterate and have never used Ubuntu before.
Jump to: