ZeroNet security

[Jzarecta]

I wonder if we have the same issue as early Bitcoin-core days where people steal the wallet.dat because of plain text.
Should ZN have an encryption mechanism of the user.json and sites.json?
Here is a pywallet encryption function that could be easily inserted into ZN.
https://github.com/jackjack-jj/pywallet/blob/master/pywallet.py#L447

[HelloZeroNet]

I don't think it's not a real threat: if you loose your bitcoin wallet, then the attacker will get your money. if you looks your users.json then you can register a new one any time.

[TheNain38]

@HelloZeroNet It's still a threat, because the attacker will be able to decrypt all your ZeroMails and post under your certs

[HelloZeroNet]

Sure, but he has access to your hdd then your are fucked any way regardless if its encrypted or not.

I'm just saying there is not much motivation to get your users.json, while there is a huge bounty on your wallet.dat.

[almet]

Encrypting ZeroNet user secrets seems a sane thing to do, and would protect the secrets from machines being compromised (you would need to crack the secret used for the encryption of the data).

But this comes at a cost: users would then need to enter the passphrase when starting ZeroNet: not sure we want to go that way.

[5hanth]

@almet

But this comes at a cost: users would then need to enter the passphrase when starting ZeroNet: not sure we want to go that way.

was wondering why isn't this already that way.. we do enter passphrase to decrypt private key when using gpg.

[ratijas]

give users a choice, why not? for most paranoid ones, let them use passphrase.

[weakish]

@almet @5hanth @ratijas Maybe the encrypted users.json feature can be implemented as a plugin, similar to the web ui password plugin.