Opened 4 years ago

Closed 4 years ago

#2359 closed bug (Invalid)

Passkey exposure

Reported by: non7top Owned by:
Priority: critical Milestone: Future
Component: Core Version: other (please specify)
Keywords: Cc: ancient@…

Description

There are several reports that Deluge exposes passkeys where it should not. Most likely it is related to lt_trackers. As a result Deluge got banned on several huge russian trackers, the only way to unban it is to have some 'official fix' to the problem.

References http://forum.deluge-torrent.org/viewtopic.php?t=41777&p=188651#p188651 http://forum.deluge-torrent.org/viewtopic.php?f=7&t=42299&start=10

Similar issue was in qbittorrent http://welinux.ru/post/5962/ https://bugs.launchpad.net/qbittorrent/+bug/740005

I vote for disabling lt_trackers altogether, since it causes unnecessary trouble to people.

Change History (2)

comment:1 Changed 4 years ago by ancient

  • Cc ancient@… added

As you can see in a related upstream issue: https://code.google.com/p/libtorrent/issues/detail?id=198 there is no data leak when the .torrent file is marked as private. If the contents of the .torrent file are private (such as a passkey being included) it should be marked as a private torrent.

Data breaches can only occur in cases where you're using a public .torrent file for private data. If "several huge russian trackers" are having data breaches as a result of it, then it's a result of their inability to recognize the difference between a public and private torrent file.

The fact that this issue exists is troubling to me. These trackers are essentially demanding that the Deluge developers to add a patch to Deluge to account for the tracker developers incompetence in the creation and maintenance of their torrent collection. Publicly sharing the tracker data is completely within the spec on a public torrent.

comment:2 Changed 4 years ago by Cas

  • Resolution set to Invalid
  • Status changed from new to closed

Control of the extension is in develop code but not possible for 1.3 due to crashing issue (reason it is enabled currently).

If you have more information that suggests there is leaking of the passkey for private flagged torrents then please reopen the ticket.

Note: See TracTickets for help on using tickets.