Gavin Andresen - 2015-01-16 15:42:42

@s{quotedtext} @s{quotedtext}
Even in that case, the certificate is "a" weak link, not "the" weak link. Think through what would have to fail to pull off a steal-bitcoins attack in the multisig-wallet case:

1) User has to be directed to an attacker-controlled payment website. That means either DNS lookup is compromised or the user's connection to the Internet is compromised (weak link number 1).

2) Attacker serves up a signed PaymentRequest with a valid certificate signed by a compromised root certificate authority (weak link number 2).


If the attacker can accomplish (1), it is likely they would just serve up unsigned payment requests from a non-secure website and bet that the user doesn't notice the lack of a padlock in the web browser UI and agrees to pay to an unauthenticated bitcoin address.

(1) is mitigated if the payment website uses HSTS headers so any repeat visitors get a HTTPS connection-- that pushes the attack to "must compromise both the connection and be able to spoof the web server certificate".  Strike that, if their computer is compromised HSTS headers won't help.

In any case, I wouldn't say the root certificates are a single point of failure.