Tor added 10,000 users which for a country the size of Turkey is lost in the noise. Meanwhile a commercial competitor, HotSpot Shield added about quarter of a million Turkish users in just 12 hours. It'd be nice if the Tor guys made a version that relaxed some of the ultra-paranoid things they do and made a single-hop proxying service for users who don't care much about anonymity and just want to evade censorship.

You appear to think criticising something without having any constructive suggestions for improvement is useful, and that people choose how to invest their spare time based on what "leaders" (there are none, really) pronounce. That's not how things work.

Eh? I was drinking with the executive director of the Foundation and routinely work with Gavin, who is maintainer of the core software. I guess they are the closest you're going to get to "developers and leaders" by your description. Obviously they're concerned about all this. But the alternatives aren't there yet. One Bitcoin developer, Gregory Maxwell, has proposed protocols that allow exchanges to prove solvency - but they're complex and of course, do not address the root problem that large piles of coins make tempting targets for hackers.

Decentralised exchanges are very interesting and the way to go, but the technology to do them well isn't here yet.

People who keep their coins on deposit with an exchange aren't even really Bitcoin users. What they've done is wire money to a company and received an IOU for bitcoins which they then have not exercised. Given that the whole point of the system is that you don't need to trust third parties, it's frustrating to see people turn around and do exactly that (then get burned by exactly the same kind of financial instability that's so common in the existing system).

The other problem is what "trust" means here. Most people would, in the absence of other context, say it means something like "Joe is a good guy and I don't think he's bad or malicious". But what trust really means in the PGP sense is "Joe is capable of securing his private key and verifying identities reliably". That is totally different and impossible to judge based just on social knowledge.

In the CA world we build trust in "Joe" through audits and standards processes to ensure that private keys are stored in hardware modules, root keys are stored offline, keys have threshold access and so on. The standards setters are the developers of widely used programs. Because securing private keys and verifying identities is not particularly interesting there aren't millions of CA's but rather hundreds; still, this turns out to be plenty.

In the WoT world there aren't really any standards and there's no real way to build confidence in any particular WoT member. Also, those members are just as vulnerable to government coercion - perhaps more vulnerable as they lack money for lawyers.

Extend it how? Facebook has the densest social graph in the world and they think two strangers can reach each other within 4 hops, mostly. But that's what it'd be if "everyone in the world" (or close to it) was a part of the WoT. This will never happen or even get close. So in practice you probably don't have a great way to extend your WoT in this way unless you happen to be a part of the very small security geek community, and even then, it's probably not easy.

Keys (and certs) contain email addresses.

But do you really think there is a single US CA out there that would say no to a national security letter requiring them to issue a torproject.org certificate if they actually needed it?

NSL's request data. You're probably thinking of a court order. And of course the answer is no, they'd follow the order. But what makes you think a person taking part in the WoT would refuse a court order where a CA would roll over? Jail time sucks the same for both. The idea that CA's are uniquely vulnerable doesn't really make sense, given that the WoT lets you see who trusts who and serve a court order on anyone in the chain.

Stuxnet actually proves another part of why the CA system is utterly broken. Because they just had to break in *somewhere* in order to get a key signed by *any* CA in order to sign their stuff.

I think you are confused. Yes, Windows will load any driver signed by a member of the Windows hardware program. How else do you think it's supposed to work? Once code is loaded into the kernel it can do anything it likes and theres not much technical way to stop it with current-gen kernels, so there's no way to issue a certificate for one kind of driver but not another kind, it would be meaningless. Regardless, even if there was, the decision about how much power a signing key has for Windows is entirely Microsoft's decision, it has nothing to do with CAs.

I suspect you are thinking of the "any CA can sign for any domain name" issue in SSL. It has both weaknesses and strengths. The weakness is if any CA is compromised, they have full power. The strength is there's lots of competition which helps keeps prices down and makes revocation actually a realistic threat, because the customers of a CA that's about to be revoked DigiNotar style can go to any other CA to get fresh certs. You're never in a situation where the CA you want to revoke is the last man standing for some class of names.

Bitcoin is not an authentication mechanism. If you can prove that a CA is signing bogus certificates for intelligence agencies please do so - nobody had been able to show this so far and it would move the debate forward at a critical time.

You're sort of getting close to what the certificate transparency project does.

So can you find a path to the genuine keys through your personal web of trust?

The thing is, you're wrong and your own post shows that.

Firstly, we have no evidence of any CA being compromised by intelligence agencies despite the obvious appeal to them of doing so. This is remarkable. Despite the huge number of Snowden documents so far none of them have even hinted at compromise of the CA infrastructure. What we have seen a lot of discussion of is ways of circumventing it by stealing private keys directly from end users, and doing MITM on non-SSLd connections of which there are plenty.

Nobody can rule out that some CA is in fact minting false certificates for intelligence agencies. But so far nobody has presented any evidence of it.

Your Stuxnet example proves my point and disproves yours. They didn't use a false certificate there - they hacked the end user (a hardware manufacturer) to obtain their private key. Well guess what, you can steal PGP keys in the same way, nothing magical about that.

Most of Bitcoin's problems aren't with the software. Bitcoin's irrevocable money sends to anonymous remote parties are the con man's dream. At last, you can rip people off without ever giving them enough info to find you. That's why Bitcoin is such a scumbag magnet.

You can turn that around and make the same criticism of credit cards, from the sellers perspective. They're also a scumbag magnet. Trying to sell anything with credit cards is a fraud nightmare. Banks routinely approve transactions that are later reversed due to card detail theft, and the seller is just expected to suck it up. I've seen what big sellers have to do to control fraud. And sellers matter: it takes two to tango!

That said, Bitcoin can theoretically do dispute mediated transactions (where they could be reversed later in case of seller fraud). However the user interfaces and workflows for this are immature and so in practice it's not done much today. Perhaps this year we will see that change.

The point of using such a version number is exactly to remind people that Bitcoin is new and experimental. It's quite possible to understand that something is a risky experiment, yet still take it seriously - these two things are not incompatible.

But, hey, if you want to put your money into a currency which is still getting bug fixes, go right ahead. That's your choice.

Banks and governments routinely have to upgrade banknotes and other forms of security on their own money, which you can see as "fixing bugs" in the sense that the ability to counterfeit is a bug. Development never really stops, so a 0.9 vs 1.0 is an entirely arbitrary line in the sand.