# Gavin Andresen
# 2015-01-16 15:42:42
# https://bitcointalk.org/index.php?topic=924869.msg10176516#msg10176516

@s{quotedtext}
@s{quotedtext}
 @p{brk}
Even in that case, the certificate is "@p{(bf}a@p{bf)}" weak link, not "@p{(bf}the@p{bf)}" weak link. Think through what would have to fail to pull off a steal-bitcoins attack in the multisig-wallet case: @p{par}

1) User has to be directed to an attacker-controlled payment website. That means either DNS lookup is compromised or the user's connection to the Internet is compromised (weak link number 1). @p{par}

2) Attacker serves up a signed PaymentRequest with a valid certificate signed by a compromised root certificate authority (weak link number 2). @p{par}

 @p{brk}
If the attacker can accomplish (1), it is likely they would just serve up unsigned payment requests from a non-secure website and bet that the user doesn't notice the lack of a padlock in the web browser UI and agrees to pay to an unauthenticated bitcoin address. @p{par}

@p{(so}(1) is mitigated if the payment website uses HSTS headers so any repeat visitors get a HTTPS connection@p{--} that pushes the attack to "must compromise both the connection and be able to spoof the web server certificate".@p{so)}  Strike that, if their computer is compromised HSTS headers won't help. @p{par}

In any case, I wouldn't say the root certificates are a single point of failure. @p{brk}