Re: [freenet-chat] private key vulnerability

[Aaron P Ingebrigtsen]

On Sat, 21 Apr 2001 20:43:41 +0200 nomad creaktop <[EMAIL PROTECTED]> writes: > Hey there. > > I know this should probably be aimed at the devel list, but i'm not > > subscribed, and i suspect that most people on the devel list also > subscribe > this one. > > Is it possible that there is a vulnerability with the submission of > private > keys to in-freenet keyindeces while inserting the data for that > key. > > OK, that probably wasn't that clear, here is an example: > > If I enter: > > finsert -keyIndex snarfoo -htl 40 SSK@(priv-key)/image.jpg > c:\images\image.jpg > > then there is output at the end of the process that my key has been > added > to snarfoo under KSK@snarfoo1 (or a similar key) > this key can be retrieved by anyone > and i have downloaded such a key which subsequently gives the key:   I believe that the -keyIndex command on the freenet CLI is only for putting keys onto a keyserver, not for inserting files into freenet.  So you basicaly told freenet to insert your private key into that keyserver.  Your mistake, not freenet's.  You should have put in your public key, not private key.  finsert -keyIndex snarfoo SSK@(pub-key)/image.jpg is the proper way to insert a key into a keyserver.  Since you already compromised the security of that subspace you will need to create a new subspace.   The key listed on the keyserver is the key you put in at the comand line, period.  I don't know if you can insert a key into a keyserver on the same line as the command for inserting a file onto freenet.  It would be nice if you could. :)