Don't Expose Private Key

[Mainline]

Hi!

 

As I used Bleep and looked around the settings menu, I was suprised as after one click my super important, very secret private key was on the screen as a QR code.
I suggest to use some awereness raising message in this menu and expose the private key after a click of a button or something like that. I'm not super paranoid, it just seems to me unlogical.
The simple user should get it, that it is an important think...

And it would be helpful to have an option to give a new private key. Yet you shuold reinstall the whole app for that. I know it is not a crucial option, because you should use one "account", but when something goes wrong or somebody else want to "log in" then it would be useful. It's just an option!

[crash893]

in not sure having the key exposed as a qr code is that big a deal

 

really as far as i can tell there are really only two attach vectors

 

1) something on your computer sees said key and uses it to do bad things

 

answer: your computer is already compromised and there are probably easier ways to get your key than to wait for a QR code

 

 

2) someone is in the room with you and takes a picture

 

answer: turn around and look before you click on the link to see your qr code

 

 

 

perhapse im missing a vector but it doesnt seem like a big deal

[Mainline]

It is just unlogical for me, it is not really a problem. It was just a recommendation from me

[CrayTo5]

This is a big deal to me - actually a deal killer ...

 

The Private Key is not private at all - 1 click and it's exposed. Sorry, but this appears to be an insecure design.

 

I would prefer to have the entire Bleep application protected by a password on all the OS versions. At the very least, access to the "Show private key" field should be locked by a password.

[crash893]

so then its exposed by two clicks

 

why not a question saying are you sure and make it 3 clicks

 

 

at the end of the day its on your computer and as stated above, if your computer is compromised it could be 100000 clicks and a bot will get it so what does it matter if its 1000000 or 1

[CrayTo5]

so then its exposed by two clicks

 

why not a question saying are you sure and make it 3 clicks

 

 

at the end of the day its on your computer and as stated above, if your computer is compromised it could be 100000 clicks and a bot will get it so what does it matter if its 1000000 or 1

I don't want to get into a debate here.

 

I want my credentials kept away from anyone (friend / family / co-worker) who might use my PC or phone with my permission. I am not talking about defeating government spy agencies - which is a significantly different level of privacy protection.

 

Let's say that bleep was locked by a password and 2 Factor Authentication. In my view, the app would be adequately secured - and it's not a matter of 1,2 or 10^7 clicks. Either you have the PW and the 2FA code, or you are not going to access bleep or its private keys.

 

Hopefully, someone from bittorrent has an opinion. That would be helpful.

[crash893]

so you're concerned about security on a computer your sharing with everyone? on the same profile?

[NightOne]

From my understanding the QR code is the PUBLIC key.... it clearly says on Bleep its a PUBLIC key and I dont understand the confusion.... Bleep works with key pairs... the one part is a PRIVATE key and no amount of clicking on buttons and viewing settings is ever going to show the PRIVATE key,..... it is completely hidden and it is encrypted and secure.... as part of a keypair the second half of the key is the PUBLIC key.... this key is suppose to be shared, you are suppose to let other people see it otherwise no one can talk to you??? the QR code just makes it easy for your friend with a mobile device to get your PUBLIC key.

 

The PUBLIC by itself can do nothing, in fact it is more then worthless without the assosiated PRIVATE key that is in the background... you can copy the public key onto another computer and try and get it to work, but it will not work without the associated Private key with is encrypted and hidden.

 

Think of the PUBLIC key as your phone number and your actual phone as the PRIVATE key...... when you give someone your number it means they know how to contact your device, which is your phone.... I know, I know that someone can clone your sim etc etc, but this is just an example of how 2 seperate components make up a usefull tool that is secure.

 

Google "Public-key cryptography" for more info if you are interested.

[joebush]

Go to Settings on the PC client and choose Add New Device (Show private key).

[CrayTo5]

NightOne: 

 

Great explanation of the public vs private key-pairs, and I agree with your thinking entirely. I use GnuPG encryption for email -  and I widely share my public key, while carefully hiding away my private key.

 

bleep exposes the PUBLIC key code and QR when the user selects the "Be added by friends" option. I have no problem with this ... it is convenient and exactly how this feature should work, in my opinion.

 

However, if you select "Add new device", the PRIVATE KEY QR Code is exposed. There are QR decoders that can convert the code to text. That is what I am concerned about. Do you think the PRIVATE KEY is adequately secured?

[TheDurtch]

Someone should try scanning your private QR code. I did and I got a bunch of garble nonsense with my username and email in there. So unless someone can decode the mess I see that the private key is safe. 

[joebush]

Someone should try scanning your private QR code. I did and I got a bunch of garble nonsense with my username and email in there. So unless someone can decode the mess I see that the private key is safe. 

You've misunderstood the point. The 'garbled nonsense' is your private key. It doesn't need decoding.

[CrayTo5]

Someone should try scanning your private QR code. I did and I got a bunch of garble nonsense with my username and email in there. So unless someone can decode the mess I see that the private key is safe. 

Try this experiment:

 

(1) Install bleep on your computer, allow it to configure itself, create key pair etc. Populate the contacts with your personal contacts.

 

(2) Have a friend install bleep on their Android phone, and ask them to select "I have an account".

 

(3) Expose the Private Key on your PC (as has been discussed here), and have your friend scan it using bleep on their mobile phone.

 

Your friend now has your ID on his phone. He can communicate with others posing as you.

[farid]

This feature is for "adding a new device" to your own account. This QR code includes your personal information (and private key) that will be copied to another device of yours. This is not the public key that you will show to your friends to be added by them as a friend.

 

This feature is a part of limited support for multi-device which will be improved over time.

 

Having a PIN code for this is an interesting idea to prevent curious friends from grabbing your phone and scanning your private key without your knowledge.

[NightOne]

Go to Settings on the PC client and choose Add New Device (Show private key).

 

I stand corrected, when I first read the post I though the poster was talking about the share with friends option and thus posted a long winded account of Public versus Private key..... My wife would say thats typical, only read the first bit and presume to know better.

 

I do agree that providing a private key without at least a second authentication layer like a PIN is a no no. So I second the idea of adding at least a PIN or a password to protect the QR code revealing the private key.

 

Thanks for not totally flaming me, and I will try in future, to read the post completely 

[Skylyne]

As I've only been using this software for my computer, and do not have an Android to try this on, I can't comment too much on this issue.

 

However, what I do have a problem with is the fact that my computer is now the weakest link in the Bleep security, thanks to the easily accessible private key QR code. I just don't approve of that, and it has been something that bothered me from day one of installation. The real problem for me is that I have only one computer (that needs to run 24/7 for other things), and I have Bleep installed. Anyone see a problem? The only way to make Bleep secure, in my case, is to have my hard disk encrypted; and even then it's useless if someone wants to scan my private QR code. For people like me, who have no other options, we're screwed for security; especially since anyone could bypass the basic password locking on a Windows machine. I might be a little more protected with a Unix based OS, but I also can't afford to go that route right now.

 

Hopefully this issue will be worked out, because I really don't like the way this has shaped up. I would recommend a personally set passphrase for authentication.

[xiuqu yin]

I think so to. We must save our privacy key more security.

It is a really problem. And we must have the ability to change or key at any time if we think our key were exposed.

[reallynow]

This feature is a part of limited support for multi-device which will be improved over time.

 

Having a PIN code for this is an interesting idea to prevent curious friends from grabbing your phone and scanning your private key without your knowledge.

The security here is just....