Open Jzarecta opened 8 years ago
HelloZeroNet
commented
8 years ago I don't think it's not a real threat: if you loose your bitcoin wallet, then the attacker will get your money. if you looks your users.json then you can register a new one any time.
TheNain38
commented
8 years ago @HelloZeroNet It's still a threat, because the attacker will be able to decrypt all your ZeroMails and post under your certs
HelloZeroNet
commented
8 years ago Sure, but he has access to your hdd then your are fucked any way regardless if its encrypted or not.
I'm just saying there is not much motivation to get your users.json, while there is a huge bounty on your wallet.dat.
almet
commented
8 years ago Encrypting ZeroNet user secrets seems a sane thing to do, and would protect the secrets from machines being compromised (you would need to crack the secret used for the encryption of the data).
But this comes at a cost: users would then need to enter the passphrase when starting ZeroNet: not sure we want to go that way.
5hanth
commented
8 years ago @almet
But this comes at a cost: users would then need to enter the passphrase when starting ZeroNet: not sure we want to go that way.
was wondering why isn't this already that way.. we do enter passphrase to decrypt private key when using gpg.
ratijas
commented
8 years ago give users a choice, why not? for most paranoid ones, let them use passphrase.
weakish
commented
6 years ago @almet @5hanth @ratijas Maybe the encrypted users.json feature can be implemented as a plugin, similar to the web ui password plugin.
I wonder if we have the same issue as early Bitcoin-core days where people steal the wallet.dat because of plain text. Should ZN have an encryption mechanism of the user.json and sites.json? Here is a pywallet encryption function that could be easily inserted into ZN. https://github.com/jackjack-jj/pywallet/blob/master/pywallet.py#L447