I am wondering what should be done when a popular question is getting answers that are downright incorrect, to the point of being dangerous? When it's just one answer, the solution is simple, but in this case it is nearly all answers, and they all have high upvotes.

How great is the risk in publicly sharing part of a private key? is the question in mind. In it, someone is asking what the danger of revealing a small part of the private key is. While his example size was 256 bits, it seemed fairly clear that he was talking about public key cryptography. The answers involved some of the following (paraphrased):

  • Why would you want to do that? Just share the public key.
  • Leaking only a tiny bit doesn't matter. A 4k key with 2048 bit leaked still has a 22048 keyspace.
  • Brute force is easier than factoring so it's fine to leak a little bit.
  • It doesn't matter what part of the key is leaked. n bits is n bits.

All of these are incorrect or non-answers. For example, it is untrue that leaking a small bit of a private key is safe, because only a tiny tiny fraction can completely destroy the security, whereas if all that is leaked is the exponent, no security is lost at all. I found only one answer that was correct in the comments:

All information in a private key is not equal, so there is no "equivalent factor". Leak the modulus or public exponent and nothing happened (versus sharing the public key). Leak "50%" of the prime numbers and you're 100% boned

However, this patently incorrect comment has double the upvotes:

As factoring semiprimes is assumed to be so secure that brute force is the best possible attack

This should not be happening, especially with something this basic. If this question were moved to Crypto.SE, the answers wouldn't even be close to acceptable. What can be done about this? Should it be moved to Crypto.SE to let the answers get the downvotes they deserve? Should I just ignore it and move on?

    On a positive note, now the top two answers are both correct and highlights the risks.
    As a note, this question got into HNQ that is available on the right sidebar on almost all sites, thus this question got an exceptional exposure from anyone on SE. Unfortunately, some of them have various knowledge & understanding but yet were brave enough to "contribute" (comment/post an answer). That's the source of the problem that we don't have the solution for until now.
    Yeah I realized. That kind of overexposure can be good or bad. I'm glad people decided to answer, but it's security where accuracy is vitally important, not something like English.SE where a bad answer is just slightly irritating. I imagine some sites like Aviation.SE or Law.SE have similar issues.
    The standard SE advice is to downvote and flag, but that never works in a significant fraction of the most egregious errors. Especially if the question gets onto the Hot-Network-Questions, in which case you can say goodbye to correctness. An alternative is to complain about it in the chat-rooms, and hopefully some experts will take notice and help. By the way, I noticed that you say on your profile that you lost access to three previous accounts. So see here.
The simple answer is to use your votes and flags.

Yep - that's pretty much it. This has been discussed at length on various site metas (especially on DIY, where a mistake could be life threatening) and the general consensus is to use votes and flags.

Enough flags gets things removed (and individuals with high rep in a particular tag can also expedite removal) and enough downvotes makes posts fall to the bottom.

As a complement to Rorys answer I would like to add: Comment! Engage with posters in a constructive manner! In a nice way, point out errors and suggest solutions. A highly upvoted accepted answer is unlikely to go away from the top spot, but that does not mean it can not be fixed.

    A good comment will also signal to other readers that they 'should' downvote the answer because it is incorrect.
Upvotes on wrong but nice-looking answers tend to accumulate because they come from people who are not site regulars, and are not experts themselves, but have been attracted to the question because it was linked outside the site (in the Stack Exchange “hot questions”, on Reddit, on Hacker News, …). An answer that is well-written and looks convincing to a non-expert is likely to rise to the top in these circumstances.

Moving the answer to another site wouldn't help. The problem is not that the Security.SE community didn't see the problem with the answer.

You need to do three things, all of which are important.

  • Downvote the answer. Downvoting is the main signal to convey that the answer is bad.
  • If there is a comment that politely and clearly explains the flaw, upvote it. Otherwise write one.
  • If there are one or more correct answers, upvote them. Otherwise, or if you have something significant to add to the existing answers, write one.

Then link the answer in the Sec.SE chat or show it to your competent friends and let them judge the answer for themselves. If the answer is genuinely bad, it's likely to accummulate a few downvotes that way, and your comment is likely to accummulate some upvotes which make it a bit more visible.

In the best case, the answerer will understand and admit the flaw, and will either edit their answer to correct it or delete it.

If the answer is genuinely dangerous, it may be removed by moderators. But the standard for dangerosity is pretty high. “This isn't best practice” is not high enough. “This is mind-bogglingly stupid and may get you hacked” may or may not be.

If it's any consolation, good answers do have a decent chance of surfacing up over time, if they aren't drowned in a sea of bad anwers. During the thread's 15 minutes of fame, most visitors have little competence and only a casual interest. But over time, a far larger proportion of visitors have a genuine interest in the topic, and they're more likely to read multiple answers and form an informed opinion, if they aren't experts. A noticeable example of this phenomenon is the XKCD password question. It had an answer from the founder of Stack Overflow, and for a while that was the top-ranking answer. That answer has laughable logic (do the math, then ignore the math because the conclusion wasn't the one the author wanted), but it's well-written and by a household name to the kind of visitors who flocked in initially, so it got upvotes. But after two years this bad answer was only a distant #2, and a bit later it was relegated to #3, now a distant #3. So while I wish this answer wasn't present, it didn't turn out to be fatal either.

