Silk Road forums
Discussion => Security => Topic started by: Green Camel on April 03, 2013, 12:18 am
-
Whenever I receive a PGP message, the message is never signed. Except in the rare case when the key is included with the message, I have to message back in plaintext asking for the key, which is a waste of time. Are people unaware that keyservers exist?
Here's a nice web interface, which even includes instructions on how to use the keyserver with GPG: http://qtt2yl5jocgrk7nu.onion/ (http://keys.indymedia.org/ - the .onion link doesn't work for me at the moment).
Sadly, even though my key is uploaded and I always sign my messages, nobody even bothers downloading my key - forcing me to include it with the message, which is completely unnecessary.
In short:
1. Upload your key
2. Sign your messages
3. Tell the recipient how he can download your key
Everyone benefits.
-
Why not?
Because GPG doesn't support Socks proxies, so the user has to run a separate HTTP proxy.
Because it requires mucking around with gpg.conf, and most people are barely able to use a simplified GUI.
And because most people are not competent enough to use key servers safely. They will almost certainly screw up and fetch keys over clearnet, so all LE has to do is ask the server admins for the logs of all IPs that fetched keys X, Y and Z of known big time drug vendors, and they are toast.
Plus, GPG has DNS leaks which one of the Tor devs is trying to patch, but it's unsafe to use for now, even over Tor.
Here's the work being done on socks support and DNS leaks: https://trac.torproject.org/projects/tor/ticket/2846