Dashcentral.org is asking your Masternode's private key. Have you give it to them?

Dashcentral.org asks for your Masternode's private key. Is it safe for you to give it to them?


  • Total voters
    12

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
dashcentral.org said:
Frequent Questions
1. What is a masternode / how to setup a masternode?
Please start reading our introduction to DASH and masternodes.
2. What is a mastenode privkey?
The masternode privkey is the key you obtain during the setup of your masternode by running the command "dash-cli masternode genkey". It should look like this: 7sUW62aPX6gq1M4W7pde4c4H563k7FHEiawvarWeAdAcVufYSae.
3. Why should i enter my privkeys and is it safe to do so?
Entering your masternode privkeys allows you to vote on budget proposals comfortably and secure via the DashCentral budget pages.
When you enter your privkeys, they will be AES encrypted with your passphrase in your browser. After encryption, the privkeys will be stored on our server. Since our server never sees your passphrase, we never have access to your privkeys. When you want to cast a budget vote, the encrypted privkeys are sent to your browser. After entering your passphrase, your budget proposal votes are signed locally in your browser and then transferred to our server, where we broadcast them to the DASH network.
4. Why should i perform the ownership verification of my masternodes?
The ownership verification is voluntary. We recommend to do it, since future account features may depend on it. If you have more than 20 masternodes, you have to confirm the ownership to be allowed to add more masterndoes.

Dashcentral.org is asking your Masternode's private key. Do you think it is safe, to give your private key?
 

rango

Active Member
Jun 19, 2014
158
221
103
It is quite safe to do so. Your masternode privkey is encrypted within your browser with a passphrase you choose. Only the encrypted version is stored on our server. When casting votes, these are signed within your browser. So you always stay in full control of your privkey. Dashcentral never sees your cleartext privkey.

Just to make sure: we are talking about the masternode privkey which is used to cast votes. This is not the private key of your 1000 DASH address.
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
It is quite safe to do so. Your masternode privkey is encrypted within your browser with a passphrase you choose. Only the encrypted version is stored on our server. When casting votes, these are signed within your browser. So you always stay in full control of your privkey. Dashcentral never sees your cleartext privkey.

Just to make sure: we are talking about the masternode privkey which is used to cast votes. This is not the private key of your 1000 DASH address.

And who is the one who sends to my browser the code that it is about to encrypt the privkey?

How can I be sure that your server always sends to my (and to any other) browser the "CryptoJS.AES.encrypt(formString, "privkey");" javascript code and not a plain text privkey?

Theoriticaly in your server you can distinguish among several IPs that requests the AES encryption. And if there is an IP you want to target and steal its private key, then you may send a non encrypted http form post especially to this IP.

The IP who is attacked by your server, cannot prove to the other masternodes what is happening, because all the others receive a diferent code than the one you send to the targeted IP.

The only thing that the targeted by you IP can do is to become a proxy and annouce it to the rest masternodes in order for them to be able to have a view of your site through the targeted IP. But even in the case the targeted IP becomes a proxy in order to prove to the others whats happening, you can always deny that and claim that the proxy is malicioulsy changing your code.

Ι am afraid that this question is yet another question (among hundreds I have done in this forum) that it will remain unanswered.
And this vote will be yet another vote where the majority will remain horribly misguided.
 
Last edited:

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
<vote history>
Dashcentral.org asks for your Masternode's private key. Is it safe for you to give it to them?
yes 4 vote(s) 80.0%
*no 1 vote(s) 20.0%
other 0 vote(s) 0.0%
</vote history>
 

Naruto

Member
Dec 26, 2014
176
89
88
The worst case in this situation will be the voting private is leaked and someone can vote on behalf of you own. Since the real owner control the MN. After the owner find out, he/she will change the private key. I assume the vote will become invalid then. Right?


使用Tapatalk 發送
 

TroyDASH

Well-known Member
Jul 31, 2015
1,254
797
183
I wouldn't do it with the privkey to the collateral, but the risk of compromising the voting privkey is low, and even if it was leaked and dashcentral had malicious intent and they started voting with other people's MNs, it would get discovered and people would just change their keys.
 

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
I wouldn't do it with the privkey to the collateral, but the risk of compromising the voting privkey is low, and even if it was leaked and dashcentral had malicious intent and they started voting with other people's MNs, it would get discovered and people would just change their keys.

Firstly , the maliciousness cannot be proved that occurs, so it cannot be discovered.
Secondly, it is easy to target ignorants that do not know what a javascript is or what a privkey really is. Or even better target the lurkers, those who commit the voting apathy sin. That way a maliciously operated dashcentral can change the vote after a long enough period of time when the ignorants/lurkers have forgotten that they have voted and what and if they have voted. That way they can defund legitimate longstanding proposals, promote others, or even worst downvote or upvote critical governmental decisions of Dash.

And in order for the naiveness, stupidity or maliciousness of the current Dash generation to be revealed to the future generations, lets keep the vote history.
<vote history>
Dashcentral.org asks for your Masternode's private key. Is it safe for you to give it to them?
yes 7 vote(s) 87.5%
*no 1 vote(s) 12.5%
other 0 vote(s) 0.0%
</vote history>
 
Last edited:

rango

Active Member
Jun 19, 2014
158
221
103
If the website turns malicious and a modified JS grabs your mn privkey it can be used to to vote for a malicious proposal, correct. The damage is limited to the money of the proposal. DC would be burned after first occurrence of a voting irregularity.

The way it's implemented is as secure as it can be implemented with a website. No way to do it better. Protonmail does it the same way.

So, if you want to improve the voting security and simplicity of voting, put your personal money and time into mobile and desktop voting apps with code audits (as i did with dashcentral). I would be happy to see some of these.
 
Last edited:

demo

Well-known Member
Apr 23, 2016
3,113
263
153
Dash Address
XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
If the website turns malicious and a modified JS grabs your mn privkey it can be used to to vote for a malicious proposal, correct. The damage is limited to the money of the proposal. DC would be burned after first occurrency of a voting irregularity.
It is more severe than you think. It is not just the money of a monthly budget proposal. It is mainly about lurkers, about the several months lasting proposals, and even more it is about the severe governmental decisions that may stand into the budget system. I already explained above. And of course the important thing is that the maliciousness cannot be proved. So by using smart propaganda, by accusing the complainants to be trolls, people may be convinced that a malicious DC is innocent.

The way it's implemented is as secure as it can be implemented with a website. No way to do it better. Protonmail does it the same way.
Are you sure there is no better way?

So, if you want to improve the voting security and simplicity of voting, put your personal money and time into mobile and desktop voting apps with code audits (as i did with dashcentral). I would be happy to see some of these.
I agree in this.

<vote history> Dashcentral.org asks for your Masternode's private key. Is it safe for you to give it to them?: yes 8 vote(s) 88.9%, *no 1 vote(s) 11.1%, other 0 vote(s) 0.0% </vote history>
 
Last edited: