Hopefully we are all aware that we should exercise caution when downloading programs from the internet.
There have been plenty of cases of malicious software being distributed via the web, and even legitimate programs being tampered with in order to carry an unexpected payload in order to compromise security on the computer which downloaded them.
To reduce the chances of downloading a poisoned program, the normal advice is to go to the original publisher and (for additional security) verify the download matches what the vendor said it should be, by checking the binaries are correctly digitally signed.
Members of the Bitcoin community might want to bear this in mind today – in particular if they are in the habit of downloading executable versions of the Bitcoin Core client software from Bitcoin.org, rather than taking the recommended approach of compiling the open source software themselves.
The website Bitcoin.org published an advisory warning users to be particularly vigilant when downloading the upcoming 0.13.0 release of Bitcoin Core.
Bitcoin.org has reason to suspect that the binaries for the upcoming Bitcoin Core release will likely be targeted by state sponsored attackers. As a website, Bitcoin.org does not have the necessary technical resources to guarantee that we can defend ourselves from attackers of this caliber. We ask the Bitcoin community, and in particular the Chinese Bitcoin community to be extra vigilant when downloading binaries from our website.
The obvious fear is that a tampered version of the Bitcoin Core could lead to users losing the contents of their digital wallets, or see compromised computers hijacked into launching other attacks against the Bitcoin network.
Sensibly, Bitcoin.org recommends that all downloaders verify that the Bitcoin Core signatures are correctly cryptographically signed before running them on their computers.
The hashes of Bitcoin Core binaries are cryptographically signed with this key.
We strongly recommend that you download that key, which should have a fingerprint of 01EA5486DE18A882D4C2684590C8019E36C2E964.
Quite what spurred Bitcoin.org to release its warning is currently unclear, as they have not shared their reasons for suspecting a state-sponsored attacker is likely to target them. However, they do hint that the “origin of the attackers” suggests that Chinese users are most at risk.
As such, whether the warning is an over-reaction or not is difficult to judge.
Eric Lombrozo, who contributes to the Bitcoin Core, appeared to be advising Bitcoin users not to panic in a statement he was reported to give to The Register:
The maintainer of the bitcoin.org site (which is unaffiliated with the Bitcoin Core project itself) posted an advisory of an apparent threat he’s been informed about – without consulting anyone else. Why this was done is uncertain, but verifying cryptographic signatures for builds is generally recommended practice in any case…”
“Perhaps certain sites where people download the binaries could end up getting compromised, but let’s not unnecessarily spread paranoia about the Bitcoin Core binaries themselves.”
The fact that Bitcoin.org’s maintainer posted the warning without consulting with other members of the community makes me think that it might be sensible to take the warning with a small pinch of salt. But it doesn’t, in itself, say that the warning is mistaken.
One thing is clear, Bitcoin users are once again being spooked by security fears. And nervousness isn’t good news for any currency – digital or otherwise.