53 comments

[ 3.1 ms ] story [ 108 ms ] thread
Service creator here, for any questions you may have :)
> We use various heuristics to determine what 'interesting' keys are, they are priced roughly by their uniqueness probability.

I was wondering how exactly are the keys priced.

It's not too hard to figure out yourself :) The heuristics are very simple at this point.
How do you feel about asking for over $10.000 (I'm bad at counting) for generated keys while GPG is desperately looking for donors? How do you feel about the ethics of your project in general? It looks a lot like domain parking to me.
You know what? You're absolutely right.

I'll happily donate 60% of the profits from the service to GnuPG. Let's use this opportunity to fund GnuPG.

You buying? :)

I'd rather donate 100% to GnuPG and not get an insecure vanity key.
Awesome, go donate to GnuPG! :)
By all means donate to GnuPG, but do so directly instead of encouraging bad practice (such as letting someone else generate the key for you). If you are just playing around and generate a vanity/compromised key then verifying the key id is not useful, hence you don't need it to be easy to remember, which negates the reason for generating a vanity key in the first place.
No I shall not, donated 100% directly to gnupg
Hi, I'm getting the following error using Opera 12.17.

  Unable to complete secure transaction
  Secure connection: fatal error (40) from server.
That's a slightly old version of Opera. If I could install it now I would test, but hard to find it on package managers.
it is time to move on, Opera 12 is not supported anymore and bound to be insecure sooner than later. This problem will be a cipher issue.
It is, but I can't be bothered to try making Chrome or Firefox match my needs, if they even can.
Ok so you get Secure connection: fatal error (40) from server until you can be bothered
I know the pain. Settled for using them both but it is still so inferior. :(
I think it's a very bad idea to use this service. Your secret key should never be shared with a 3rd party.

Using an untrusted 3rd party service to generate a public/private key pair is like asking a thief to sell you a new door lock.

I agree, this service should never be used for any serious real-life usage. But this is a _vanity_ key service, and there are legitimate uses for such keys where no harm can be done.

I'm mainly interested in raising awareness to GnuPG and get more people using it - I also organize CryptoParties [1] in my area, exactly for this purpose.

[1] - https://cryptoparty.in/

"there are legitimate uses for such keys" - not for crypto
How about education and raising awareness?
awareness of bad crypto practise? :\",
How do you raise awareness and educate people by selling them conceptionally broken keys? They will get used to "someone else is creating the key for me", as well as to "GPG fingerprints should look like funny words, not 17AB42DE!".

For testing and explaining GPG to people, nobody needs vanity keys. You don't raise awareness for GPG by having "DEADBEEF" on your business card.

Is there a technical way to implement a service like that in a non-compromising way? I.e. user sends you his public key, you brute-force some nonce value, until the key's ID is "nice"?

Non-native speaker here, I didn't even know what "vanity" means, just ignored it as noise-word :) Well, after looking it up, I still am not sure that I understand what it means :).

vanity base word is vane; or to be so focused on how pretty or appealling you are to others. often used when talking about asthetically pleasing names when talking about tech stuff (vanity hostnames for example.. dns names which are excessively showy, this used to be common on IRC to look "cool").
Would that not be "vain"?
> Is there a technical way to implement a service like that in a non-compromising way? I.e. user sends you his public key, you brute-force some nonce value, until the key's ID is "nice"?

No. That is not possible.

Sorry but no. This makes your private key compromised by default...

The most important rule of public key encryption is... Never (really!) let anybody else handle your private key...

And why should I trust some random website for not storing an extra copy? The keys are definitely not "... as secure as if you have generated them by yourself. ". Because, if I generate them, I know that my box is the only one that had ever touched it...

Thanks for the feedback, I totally agree, and see my comment below. I'll definitely make this more noticeable on the page.
It is possible to safely outsource the creation of vanity bitcoin addresses (http://bitcoin.stackexchange.com/questions/3853/can-one-safe...). That being said, I'm not sure if the techniques used are applicable to GPG.
Once GnuPG supports ECDSA (hopefully, in the near future, there's a branch with some of the code already implemented) I'll be happy to switch the service to this secure method!
I thought that if the user changes the passphrase[1] it could be done... But since the keys (private/public) remain the same, doesn't make any sense in this scenario. As I understand this (didn't try it) you could have 2 computers, same private/public keys different passphrase on each computer.

[1] http://security.stackexchange.com/questions/37510/when-chang...

I think we need a new name for all of these new sites: hipster security. Or something like that.
I feel like it might be time for us to stop bashing hipsters and instead reach out to them so that they don't actually use services like this one. Writing a blog post (or a shell script) that explains how to generate fancy keys would certainly be more useful.
I'll happily clean up the scripts and make them open source! Would you be interested in helping publish this?
I will help you publish this for a copy of all keys generated.
Interesting way to earn BTC. Instead of "just" investing [GC]PU power, you invest CPU power and then sell the result.

In this sense, it's probably more efficient (both power and money wise) than mining for BTC directly, but it still feels like a waste of energy to me. Waste, because I don't think anyone with security in mind would buy a private key off some random website and anyone with no security in mind would never get the idea to buy a GPG key.

Also, I'm still wondering why "FF8243E1" costs 5$. Because it's only 7 out of 8 possible different characters?

$5 is the lowest tier of keys with no actual significance. I believe that's a reasonable price when you consider the overhead of running this operation.
"5$ is the price for something worthless." -- Did I read this correctly?

I can see how you would sell keys with fingerprints like "1234BEEF" for 100 bucks, but those 5$ keys are just ... I don't get it. But that's okay, it's not the first time I don't understand why people spend money on something ;-)

I'm really dumbfounded and thinking maybe I should just start a slick looking minimal website with a random number generator and a payment form. This way I can sell interesting sequences of numbers. I could avoid the whole mess of generating keys, since this is about as useful as painting a house with a five hundred pound bomb.
I have a better service.

Aren't you tired of boring, bland, random passwords?

For just $5 I'll generate you a beautiful, memorable vanity password that you can use for everything and show off to your friends!

See my profile for contact info. Limited time offer!

Now this is retarded beyond repair. So, the idea is I'll pay money for someone to know my secret key?

Whats next, vanity passwords?

EDIT: reading the comments from the author yuvadam below, its obvious we are being trolled

EDIT2: now i'm getting scared. i wouldn't want software from this guy near my machines https://aur.archlinux.org/packages/?SeB=m&K=yuvadm

I agree, it's a really bad idea to buy a private key off of anybody. I mean, seriously?
Thank you for pointing to the AUR, another great example of where you should never trust the maintainer blindly and _ALWAYS_ inspect the PKGBUILD yourself before installing.
60%? Given that you're using BTC the costs involved here are minimal, considering that there's no practical use for these keys where's the value justifying your 40%?

I'd invite folks reading this to donate directly to https://www.gnupg.org/donate/ and ensure 100% of your charity reaches the folks & help them attain their funding goal + keep one of the most essential tools under active development.

Please, by all means donate 100% to GnuPG! That's the best possible outcome from this project.
"60% of all profits from this fun project go directly to fund GnuPG! You can also directly donate to a very important cause."

I severely doubt the guy who develops GnuPG (Werner Koch) would approve of this.

[edit] This is the worse thing I've ever seen on Hacker News.

Yeah, how the hell did this get 20 points?
Interesting concept, but no. People should not be having a 3rd party generating their keys.

If people want a vanity short key ID, then educating them on how OpenPGP packets work, and how the fingerprint is generated from the timestamp is the right way to go. Teach a man to fish.

Here is some Java code that creates a partial collision on the fingerprint for the desired short key ID:

http://www.halfdog.net/Projects/PgpKeyTools/KeyGenDSA.java

Werner Koch (the guy who develops GnuPG), when asked about this website:

http://lists.gnupg.org/pipermail/gnupg-users/2015-January/05...

"I have not heard about it but given that the Wau Holland Stiftung is collecting GnuPG donations also via Bitcoin, it is likely that this can't be tracked.

However, if that processing power is used to find many dups for long keyids we will sooner or later neet to invest work to mitigate the effect of this (e.g. adding a fingerprint as signed attribute to each signature)."