
Show HN: Vanity GPG Keys (and help fund GnuPG!) - yuvadam
https://vanitykeys.io/
======
svennek
Sorry but no. This makes your private key compromised by default...

The most important rule of public key encryption is... Never (really!) let
anybody else handle your private key...

And why should I trust some random website for not storing an extra copy? The
keys are definitely not "... as secure as if you have generated them by
yourself. ". Because, if I generate them, I know that my box is the only one
that had ever touched it...

~~~
yuvadam
Thanks for the feedback, I totally agree, and see my comment below. I'll
definitely make this more noticeable on the page.

~~~
olalonde
It is possible to safely outsource the creation of vanity bitcoin addresses
([http://bitcoin.stackexchange.com/questions/3853/can-one-
safe...](http://bitcoin.stackexchange.com/questions/3853/can-one-safely-buy-
vanity-addresses-from-a-third-party-without-risking-ones-coi)). That being
said, I'm not sure if the techniques used are applicable to GPG.

~~~
yuvadam
Once GnuPG supports ECDSA (hopefully, in the near future, there's a branch
with some of the code already implemented) I'll be happy to switch the service
to this secure method!

------
dvdkhlng
I think it's a very bad idea to use this service. Your secret key should never
be shared with a 3rd party.

Using an untrusted 3rd party service to generate a public/private key pair is
like asking a thief to sell you a new door lock.

~~~
yuvadam
I agree, this service should never be used for any serious real-life usage.
But this is a _vanity_ key service, and there are legitimate uses for such
keys where no harm can be done.

I'm mainly interested in raising awareness to GnuPG and get more people using
it - I also organize CryptoParties [1] in my area, exactly for this purpose.

[1] - [https://cryptoparty.in/](https://cryptoparty.in/)

~~~
dvdkhlng
Is there a technical way to implement a service like that in a non-
compromising way? I.e. user sends you his public key, you brute-force some
nonce value, until the key's ID is "nice"?

Non-native speaker here, I didn't even know what "vanity" means, just ignored
it as noise-word :) Well, after looking it up, I still am not sure that I
understand what it means :).

~~~
spydum
vanity base word is vane; or to be so focused on how pretty or appealling you
are to others. often used when talking about asthetically pleasing names when
talking about tech stuff (vanity hostnames for example.. dns names which are
excessively showy, this used to be common on IRC to look "cool").

~~~
dTal
Would that not be "vain"?

------
fapjacks
I'm really dumbfounded and thinking maybe I should just start a slick looking
minimal website with a random number generator and a payment form. This way I
can sell interesting sequences of numbers. I could avoid the whole mess of
generating keys, since this is about as useful as painting a house with a five
hundred pound bomb.

------
Nanzikambe
60%? Given that you're using BTC the costs involved here are minimal,
considering that there's no practical use for these keys where's the value
justifying your 40%?

I'd invite folks reading this to donate directly to
[https://www.gnupg.org/donate/](https://www.gnupg.org/donate/) and ensure 100%
of your charity reaches the folks & help them attain their funding goal + keep
one of the most essential tools under active development.

~~~
yuvadam
Please, by all means donate 100% to GnuPG! That's the best possible outcome
from this project.

------
sigsergv
I think we need a new name for all of these new sites: hipster security. Or
something like that.

~~~
teamhappy
I feel like it might be time for us to stop bashing hipsters and instead reach
out to them so that they don't actually use services like this one. Writing a
blog post (or a shell script) that explains how to generate fancy keys would
certainly be more useful.

~~~
yuvadam
I'll happily clean up the scripts and make them open source! Would you be
interested in helping publish this?

~~~
fapjacks
I will help you publish this for a copy of all keys generated.

------
rmoriz
Short key IDs are bad news (with OpenPGP and GNU Privacy Guard)
[http://www.asheesh.org/note/debian/short-key-ids-are-bad-
new...](http://www.asheesh.org/note/debian/short-key-ids-are-bad-news.html)

~~~
yuvadam
Absolutely, short keys are bad. Nothing replaces a full fingerprint
verification before usage. Keybase [1] does this very nicely IMHO.

[1] - [https://keybase.io](https://keybase.io)

------
mike-cardwell
Werner Koch (the guy who develops GnuPG), when asked about this website:

[http://lists.gnupg.org/pipermail/gnupg-
users/2015-January/05...](http://lists.gnupg.org/pipermail/gnupg-
users/2015-January/052204.html)

"I have not heard about it but given that the Wau Holland Stiftung is
collecting GnuPG donations also via Bitcoin, it is likely that this can't be
tracked.

However, if that processing power is used to find many dups for long keyids we
will sooner or later neet to invest work to mitigate the effect of this (e.g.
adding a fingerprint as signed attribute to each signature)."

------
moe
I have a better service.

Aren't you tired of boring, bland, random passwords?

For just $5 I'll generate you a beautiful, memorable vanity password that you
can use for everything and show off to your friends!

See my profile for contact info. Limited time offer!

------
xrstf
Interesting way to earn BTC. Instead of "just" investing [GC]PU power, you
invest CPU power and then sell the result.

In this sense, it's probably more efficient (both power and money wise) than
mining for BTC directly, but it still feels like a waste of energy to me.
Waste, because I don't think anyone with security in mind would buy a private
key off some random website and anyone with no security in mind would never
get the idea to buy a GPG key.

Also, I'm still wondering why "FF8243E1" costs 5$. Because it's only 7 out of
8 possible different characters?

~~~
yuvadam
$5 is the lowest tier of keys with no actual significance. I believe that's a
reasonable price when you consider the overhead of running this operation.

~~~
xrstf
"5$ is the price for something worthless." \-- Did I read this correctly?

I can see how you would sell keys with fingerprints like "1234BEEF" for 100
bucks, but those 5$ keys are just ... I don't get it. But that's okay, it's
not the first time I don't understand why people spend money on something ;-)

------
atoponce
Interesting concept, but no. People should not be having a 3rd party
generating their keys.

If people want a vanity short key ID, then educating them on how OpenPGP
packets work, and how the fingerprint is generated from the timestamp is the
right way to go. Teach a man to fish.

Here is some Java code that creates a partial collision on the fingerprint for
the desired short key ID:

[http://www.halfdog.net/Projects/PgpKeyTools/KeyGenDSA.java](http://www.halfdog.net/Projects/PgpKeyTools/KeyGenDSA.java)

------
spork1
Now this is retarded beyond repair. So, the idea is I'll pay money for someone
to know my secret key?

Whats next, vanity passwords?

EDIT: reading the comments from the author yuvadam below, its obvious we are
being trolled

EDIT2: now i'm getting scared. i wouldn't want software from this guy near my
machines
[https://aur.archlinux.org/packages/?SeB=m&K=yuvadm](https://aur.archlinux.org/packages/?SeB=m&K=yuvadm)

~~~
yuvadam
Thank you for pointing to the AUR, another great example of where you should
never trust the maintainer blindly and _ALWAYS_ inspect the PKGBUILD yourself
before installing.

------
mike-cardwell
"60% of all profits from this fun project go directly to fund GnuPG! You can
also directly donate to a very important cause."

I severely doubt the guy who develops GnuPG (Werner Koch) would approve of
this.

[edit] This is the worse thing I've ever seen on Hacker News.

~~~
toothbrush
Yeah, how the hell did this get 20 points?

------
Joona
Hi, I'm getting the following error using Opera 12.17.

    
    
      Unable to complete secure transaction
      Secure connection: fatal error (40) from server.

~~~
aw3c2
it is time to move on, Opera 12 is not supported anymore and bound to be
insecure sooner than later. This problem will be a cipher issue.

~~~
Joona
It is, but I can't be bothered to try making Chrome or Firefox match my needs,
if they even can.

~~~
corobo
Ok so you get Secure connection: fatal error (40) from server until you can be
bothered

------
yuvadam
Service creator here, for any questions you may have :)

~~~
teamhappy
How do you feel about asking for over $10.000 (I'm bad at counting) for
generated keys while GPG is desperately looking for donors? How do you feel
about the ethics of your project in general? It looks a lot like domain
parking to me.

~~~
yuvadam
You know what? You're absolutely right.

I'll happily donate 60% of the profits from the service to GnuPG. Let's use
this opportunity to fund GnuPG.

You buying? :)

~~~
danieldk
I'd rather donate 100% to GnuPG and not get an insecure vanity key.

~~~
yuvadam
Awesome, go donate to GnuPG! :)

