Opened 11 years ago
Closed 11 years ago
#2359 closed bug (Invalid)
Passkey exposure
Reported by: | Vladimir Berezhnoy | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | Future |
Component: | Core | Version: | other (please specify) |
Keywords: | Cc: | ancient@whatbox.ca |
Description
There are several reports that Deluge exposes passkeys where it should not. Most likely it is related to lt_trackers. As a result Deluge got banned on several huge russian trackers, the only way to unban it is to have some 'official fix' to the problem.
References http://forum.deluge-torrent.org/viewtopic.php?t=41777&p=188651#p188651 http://forum.deluge-torrent.org/viewtopic.php?f=7&t=42299&start=10
Similar issue was in qbittorrent http://welinux.ru/post/5962/ https://bugs.launchpad.net/qbittorrent/+bug/740005
I vote for disabling lt_trackers altogether, since it causes unnecessary trouble to people.
Change History (2)
comment:1 by , 11 years ago
Cc: | added |
---|
comment:2 by , 11 years ago
Resolution: | → Invalid |
---|---|
Status: | new → closed |
Control of the extension is in develop code but not possible for 1.3 due to crashing issue (reason it is enabled currently).
If you have more information that suggests there is leaking of the passkey for private
flagged torrents then please reopen the ticket.
As you can see in a related upstream issue: https://code.google.com/p/libtorrent/issues/detail?id=198 there is no data leak when the .torrent file is marked as private. If the contents of the .torrent file are private (such as a passkey being included) it should be marked as a private torrent.
Data breaches can only occur in cases where you're using a public .torrent file for private data. If "several huge russian trackers" are having data breaches as a result of it, then it's a result of their inability to recognize the difference between a public and private torrent file.
The fact that this issue exists is troubling to me. These trackers are essentially demanding that the Deluge developers to add a patch to Deluge to account for the tracker developers incompetence in the creation and maintenance of their torrent collection. Publicly sharing the tracker data is completely within the spec on a public torrent.