Closed SuprDewd closed 4 years ago
Any news on the feature ?
Thanks for taking an initial stab at this, @vipera7. I prefer hashing over encryption for solving this, so I made some further changes in https://github.com/SuprDewd/simpletracker/commit/864ed91b9e4c8959f599bf209ef45fe3cb5ec019. Let me know if you have any comments.
Also a quick note for you or anyone that is upgrading an existing simpletracker installation past this commit: This is a breaking change, in the sense that all .torrent files that have been previously downloaded will no longer work - they need to be downloaded again and restarted in the torrent client. For security, all user passkeys should be regenerated (securely) after this change has been deployed.
Currently every torrent file downloaded by a user contains the user's passkey. If one of those torrent files is compromised, his passkey can be reused to announce other torrents. Although this poses little security threat at the moment, this is an unnecessary risk.
Instead, combine the torrent ID and the user's passkey into a security token, and embed that into the torrent file.