[themenace]

I'm not seeing the risk if it's a publicly available address. Analogy:

They tested every door lock in America.

They found that 64,000 door locks are trivially opened.

They put up a website where you can enter your home address to see if you're vulnerable.

If you enter your home address ("123 Maple Street"), they could lie and tell you that you're secure, but then go and rob you.

The thing is that they already knew whether 123 Maple Street was secure or not. They could have robbed you beforehand.

(Also, let's say that they never tested 123 Maple Street, and they tell you arbitrarily that you're secure. In this case, they still haven't gained any new knowledge.)

[acchow]

This isn't it at all.

They have been handed a giant pile of all keys to all homes in America. They went through the pile and found all but 64,000 keys to be too damaged to be usable. Those 64,000 keys are perfectly good, but they don't know which homes they belong to.

They open up a shop allowing people to come in with their lock to check if their key is one of the 64,000. Do you go to check? Do you drive? Or do you go wearing a mask on your face and take public transit (VPN + tor)?

[BoppreH]

Unless I misunderstood, they know which keys belongs to which houses. They successfully factored those keys, and unless they threw the metadata away they still know the domain that is using that key.

And if they did throw the metadata away, they still have this pile of 64,000 prime factors. They can ask the domains for their public keys again and test if any of those factors matches.

[gbog]

> they know which keys belongs to which houses

Need to be corrected into "they claim to know which keys belongs to which houses", right?

[bigiain]

Well they did collect all the keys from their respective houses – the only thing stopping then knowing which key goes with which house is poor record keeping on their part…