
Torrents Time bundles certificates and private keys - cgtyoder
https://gist.github.com/Wack0/8eecd90f688e85fef86b
======
cheez
The torrents time server is just to allow your local browser to stream the
videos that are being downloaded in a way that makes the browser happy and
avoids mixed content issues. Why does it matter if the keys are shipped?

They're a workaround that don't improve or reduce security from what I can
tell.

Edit: The more egregious parts of the security issues is due to any website
being able to access that local server, the server running as root on OSX,
etc. THAT is major.

~~~
Kristine1975
Agreed. Not sure if this was already posted on HN, but here's a write-up about
Torrent Time's security issues:
[http://blog.andrew.im/post/139084882590/torrents-time-
securi...](http://blog.andrew.im/post/139084882590/torrents-time-security-
issues)

~~~
ryanlol
I'm not sure why the author wrote that post, it consists mostly of irrelevant
filler material (the only real issue pointed out is the fact that it runs as
root on osx).

It shouldn't be that hard to find actual issues in torrent time, but this post
is just complaining for the sake of complaining.

------
shpx
Why use proprietary software when there's
[https://webtorrent.io/](https://webtorrent.io/)

Is piratebay turning into another sourceforge or download.com?

~~~
the8472
It uses webrtc, that's not compatible with real torrent clients.

And afaik torrents time is not affiliated with TPB, beyond the latter
embedding the former.

------
jand
I strongly dislike the idea of a CA going around revoking certs/keys just
because the keys were leaked somewhere.

This road (as wished for by the author) is very dangerous - it reads to me:
"If a software(-bug) or human error allows technically skilled personal to
gain access to a private key, all connected keys shall be revoked".

This would apply to (possibly) millions of servers with e.g. vulnerable PHP
versions or such stuff.

So. Torrents Time made a bad move. Why is that a CA-concern? Honestly, tell
me.

~~~
willglynn
Short answer: because the CA/B forum requires this. See "Baseline Requirements
for the Issuance and Management of Publicly-Trusted Certificates, v.1.1.7"
section 13.1.5 point 3.

[https://cabforum.org/wp-
content/uploads/BRv1.1.7.pdf](https://cabforum.org/wp-
content/uploads/BRv1.1.7.pdf)

Long answer:

Certificate authorities provide assurance. In this instance, they received a
request from someone asserting "I am localhost.ttconfig.xyz, I have this
public key, and I sign this entire statement using my private key". The
certificate authorities validated that the requester did in fact control
localhost.ttconfig.xyz, then they took the request above, added "I am
<Comodo/GeoTrust/thawte>, this certificate reflects the identity and
intentions of <subject>, and I sign this entire statement using my private
key".

Your browser trusts certificate authorities to make statements like these.
This trust is not given blindly; it's instead driven by complex procedural
machinery. Browser vendors require certificate authorities to do specific
things in order to earn and keep the browser's trust. For example, see
Mozilla's CA policies:

[https://www.mozilla.org/en-
US/about/governance/policies/secu...](https://www.mozilla.org/en-
US/about/governance/policies/security-group/certs/policy/inclusion/)

The certificate authorities have rules to follow, and they in turn require
that their subscribers do certain things so the CA can comply with those
rules. One of the requirements CAs make of their customers is that they
protect their private key.

Why is this important? Well, remember that the CA made a statement that "this
certificate reflects the identity and intentions of <subject>". Losing your
private key means anyone else can use that certificate, even if they are not
you – which makes the CA's statement a lie. CAs are built on trust, so they
_must_ revoke it.

~~~
joelcollinsdc
Perhaps this is a dumb question, but what should the torrent time developers
have done differently to have local valid TLS without bundling a private key?

~~~
ikeboy
Generating a unique key for each installation and adding that to the list of
root CAs on that computer.

~~~
chris_wot
Err... Isn't that what Lenovo did with Superfish?

That sounds like terrible advise.

~~~
ikeboy
No. Lenovo used the same certificate for every computer, and pre installed the
software without user consent.

Generating a new certificate on the computer it's used on is different.

