Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That shell script does that already. Go ahead and run it for multiple sites with the same file:

  sh encrypt.sh www.google.com mysecret.txt
  sh encrypt.sh www.apple.com mysecret.txt
  sh encrypt.sh www.microsoft.com mysecret.txt
It then will make a directory for each in results using different passwords and their respective keys.


That is exactly what I don't want. :-)

I want the same random key sent to multiple recipients. That way they can all verify that they are seeing the same thing.

Edit: Just to clarify, without using the same random key for all recipients, the reports are not verifiably the same until everyone shows their random keys. If you use the same random key for all recipients, you don't have this problem.


Could be an option, although I'm not sure what's better given that most vendors wouldn't want to have other vendors know they're vulnerable until they fix it.

Also, I'm pretty sure that if adobe and microsoft both have a vulnerability then they'll talk to each other.


I'm mostly thinking about the arbitrator scenario, or key escrow for each report.

Your current scheme suffers from the fact that once the report has been generated, the only person that can verify that a given document is the same as the submitted report is the vendor - who may not be inclined to cooperate.

It's admittedly a little far-fetched, but if there is a dispute as to the contents of the report and the vendor refuses to disclose the secret key, it ends up being the vendor's word against that of the researcher.

This can be solved by keeping the random key around or by sending it to multiple recipients. Or both. Your current strategy of immediately deleting it is pointless while the original plain-text report still exists but leads to the conundrum above.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: