This should be a FAQ question. It's not the first time I answer this.
A >50% overtake is bad, but not that bad.It only allows the attacker to erase/rewrite recent transactions, from the point he started mining in secret on. Keep in mind that he cannot create invalid transactions, like, create more money than there could possibly be at a particular address. Nor he can spend money that he never owned. So, basically, he can erase valid transactions, that's all.
This attack can have two purposes:
- Double-spend, or "profit motivated attack". The attacker could erase transactions of his own, for which he already received the good/service he bought. That would be stealing from the vendor. Bad, yes, but how far can the attacker go with this? I hardly think he could steal more than 20 million dollars to make it worth the investment, without being caught.
- Just mess around, or "politically motivated attack". This could annoy bitcoin users, but valid honest transactions will be resent anyway, so this won't do much more than annoyance. Honestly, it's a silly kind of attack for a government to take, as it may end up getting some quite bad press for this.
An easy way to mitigate the risk: reject any "too long" block reorganization. The "too long" constant should be determined mathematically, in order to be sure that there is no reasonable chance that such block reorganization is an honest chain split.
I can't do the math on my own, but I really doubt that an honest split could last as long as a week for example.
Trying to game the bitcoin network with >50% of hashing power is not that easy, but if your goal is shutting down the bitcoin, it's trivial. You can effectively deny any transactions taking place, or invalidate past transactions by hashing your own longer chain in the dark, and dumping it to the rest of the network whenever you feel like it would do the most damage, or any number of more or less detectable and destructive attacks. With that kind of activity, people would lose faith in bitcoin really fast, making it worthless.
The longest blockchain is THE central authority of bitcoin, and if you don't want to trust that authority 100%, you have to give some of that power (choosing the valid chain) to individuals, and we know how that works out. Take your pick.
