[enscr]

Conspiracy theory : Is directory.io phishing ?

It is possible that people would try to find their private key on directory.io for fun. You can do that by jumping to the relevant page. Meanwhile, the servers at directory.io would cache the GET requests and blast through the handful of keys on that page.

The site is likely generating the pages on the fly. You can type directory.io/<any number upto x>

x : 904625697166532776746648320380374280100293470930272690489102837043110636675

[fiveturns]

Author here.

Somebody did set up a website somewhere that allowed users to see if their private key was in the "database". It would jump them to the correct page, and, steal their private key in the process.

I didn't like them potentially stealing my revenue, so I implemented this feature myself. The pluses beside the private key are permalinks.

For example: http://directory.io/warning:understand-how-this-works!/5HpHa...

That's the private key in Bitcoin's importprivkey format.

I purposely didn't add a search box and named the URL's path to discourage its use.

http://directory.io/faq

(I don't actually check the logs)

[enscr]

Thanks for clarifying. Even though you may not have bad intentions, there are several points of failures e.g. server logs falling into wrong hands, man-in-the-middle-attack (using http) etc.

Maybe put a big disclaimer in red on top of every page.

[lvs]

> The site is likely generating the pages on the fly.

The site is definitely generating hashes on the fly. There is not enough known storage in the universe for all possible 32 byte private keys. To be more precise, 1E77 is within a few orders-of-mag of the estimated number of atoms in the universe.

[TrainedMonkey]

Observable universe.

[lvs]

You're right; I failed to consider the possibility that this website stores integers in the unobservable universe. My bad.

[kordless]

I'd l̶i̶k̶e̶ t̶o̶ will drink beers with you someday.

[mcherm]

Observable beers. ;-)

[mjcohen]

But not for long (at least in their original form).

[blueskin_]

Even when they become nonobservable, their former presence can still be detected.

[TrainedMonkey]

That totally happened by the way.

[13throwaway]

Directory.io is not phishing. The chances of someone finding an adress that has ever been used by anyone ever, (aside from people sending coins to the first one for fun) is impossible.

[gus_massa]

(I guess it's only a joke site.)

The problem is that some moron can enter his private key there, to see what the site says about it. Then if the owner reads the server logs, he can read the private key. To be clear, never ever never ever never ever put your private key in a random website.

I hope that most morons only know the public address (that is a hash of the public key), and don't know about the private key that is stored in a wallet. In https://www.google.com/search?q=site:Directory.io the numbers are too low, so they are probably only a few random keystrokes, not "real" private keys.

[userbinator]

> The problem is that some moron can enter his private key there, to see what the site says about it. Then if the owner reads the server logs, he can read the private key. To be clear, never ever never ever never ever put your private key in a random website.

You would think that the word "private" in "private key" would give them a clue... or do most people now not really understand the concept of privacy anymore?