Silk Road forums
Discussion => Security => Topic started by: DrugsAreFun on July 07, 2013, 03:22 am
-
I know my PGP has been working correctly since I have done several orders and that's the only way they could have gotten my address :P
I do want to know what this warning means though. I'm going to be using the vendor Tessellated as an example only because he did a recent Reddit AMA and verifying his signature sparked my interest. I've never actually ordered from him so don't ask any questions about that heh.
http://www.reddit.com/r/SilkRoad/comments/1hjo57/i_am_tessellated_ask_me_anything/
I'm using Linux GPG version 2.0.20. When I try to verify his signature it displays the following:
gpg: Signature made Tue 02 Jul 2013 11:00:56 PM CDT using RSA key ID 497F3262
gpg: Good signature from "Tessellated"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: DC53 338E AA82 BEB9 41B5 9E26 27EC E978 497F 3262
It did successfully verify saying "Good signature" (further confirmed by me manually changing a single character in message makes it say "Bad signature"). However, it's the WARNING about a "trusted signature" that has me a little concerned.
Also, whenever I try to encrypt a message with a vendor's public key (does this every time with every vendor... not just Tessellated) it displays the following:
gpg: 3CBC4194: There is no assurance this key belongs to the named user
pub 2048R/3CBC4194 2012-10-10 Tessellated
Primary key fingerprint: DC53 338E AA82 BEB9 41B5 9E26 27EC E978 497F 3262
Subkey fingerprint: 33AF 1A2C 63DF 6B32 B7A0 CF53 68D5 41BD 3CBC 4194
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N)
And again, obviously it seems to encrypt correctly every time because that's the only way they could have gotten my address (and I've done this across multiple vendors and never received a complaint.) I'm just wondering what the deal is here.
-
Don't worry about it too much. Not all users sign their own keys (even tho it's a good idea - some programs automatically self-sign), and most SR public keys never move beyond being self-signed. Nearly everyone here is pseudonymous, and in general signing a key to verify it means you're 100% certain that a particular key belongs to the individual whose name is on it (most PGP guides have a high standard for this - f2f confirmation + id documents etc so most SR users won't have particularly "trusted" keys).
(clearnet) phildev.net/pgp/gpgsigning.html
Also, part of the trust thing is up to you. GnuGP can verify that a certain key made that signature, but you as a user are the one who needs to decide whether or not the key really belongs to Tessellated (or whomever) and to assign a trust index based on that. It's not really a widely used feature among SR members, again b/c of to the pseudonymous thing. If you wanted you could sign Tessellated's key to verify it, which as long as your own key is signed (by you) would remove that first warning.
The reason these features exist is because someone could create a key that seemed to be from Tessellated (using his name & email address) and upload that to a public keyserver or use it elsewhere while pretending to be Tessellated. They also could use his unsigned public key to create a key that not only had his name and address but also his KeyID to be even more convincing. If his key is signed, that "fake" key will generate a "BAD SIGNATURE" alert when checked.
But as long as you're reasonably sure that Tessellated's account hasn't been hacked and the PGP key on his vending account is one he posted himself you're fine. :)
-
It would be hard to create a web of trust in this community, since we avoid using key servers, so just ignore that warning.
-
Actually, the only thing we do have in that regard IS a web of trust. Just that it's out own, not that anticipated by GPGnu tutorials or what have you from the clearnet. Legit Vendors and Buyers accumulate positive feedback and scammers don't (in general).. and that imo, is a stronger... or at least as strong of a web of trust - not to mention privacy than one which allows your real personal details to be open to scrutiny by unknown outsider parties... and so yeah, the warning doesn't even apply here... :)
-
Sure, I just mean through key signing, which is what the error is about.
-
So if anyone can kindly help me understand the signature process I would appreciate it. Using tails.
For instance to verify DPR's signature. First I have imported his public key into my key manager. Next I paste his PGP signature into a text (gedit) file and save it. I right click and select "open with verify signature" which opens a file selection window, and at this point I'm lost as it seems regardless of what I select I get a "bad key" message. I've tried selecting the signature and the public key both and keep getting the same message.
What am I missing here?
-
So if anyone can kindly help me understand the signature process I would appreciate it. Using tails.
For instance to verify DPR's signature. First I have imported his public key into my key manager. Next I paste his PGP signature into a text (gedit) file and save it. I right click and select "open with verify signature" which opens a file selection window, and at this point I'm lost as it seems regardless of what I select I get a "bad key" message. I've tried selecting the signature and the public key both and keep getting the same message.
What am I missing here?
If I understand your question correctly, (I realize that you are only using DPR's key as an example) you are saying that you aren't sure if you can properly verify if the person who sends you a PGP encrypted message is really who they say they are. Please correct me if I have it wrong!
If this is your only concern.. and I'm assuming it is the "bad key" message that you keep getting. Please don't worry about that. When the writers of the tutorials (usually on the clearnet) to explain the GnuPG programs that create PGP encrypted messages and how to use them, I believe they are mainly written for the general public who thinks they have no reason to hide their real identity (and of course corporations and legal businesses, etc... would want their true identity known). Therefore they include the "verify the key" instructions.
But here on SR, we don't use our real identities at all.. not to each other and certainly not to any lurkers who may well be LE and/or alphabet soups. So therefore, it's unlikely that any Public PGP key you find here will properly "verify". But you can tell if it's who they claim to be easily enough without using that feature you describe. For one thing, if you have already contacted the person using PGP about a particular thing, and they answer also in PGP appropriately, that is prettty good proof that they are indeed who they claim to be. Also, most of us use our SR username where they ask for "name" when setting up the keypair, as well as most of us use a fake email address. I don't know how everybody does it.. I've seen some with tormail email addresses with their username. You can find this info as well as their key identifier number after you import their public key by right clicking on the name on the key you just imported. It may vary a bit from program to program, but you should see someplace to click then that says something like "show key details". If you see the same name as the username of the person who claims to own the key and you have reason to be expecting to hear from them... or if they contact you about something that you would not find strange if you got the same message in plain text... then it is more than likely them. If you further want to be absolutely sure, you can send some sort of a reply back using that person's public key that they have posted here. If they reply, then you know it is the same person they claim to be as they woud be the only one with the other half of the key - the secret key as well as their passphrase that is necessary for the keypair to work.
Hope that made sense and is of any help to you.. :)
[EDIT]: I forgot to mention when I mentioned somewhere that I see a lot of other people's key details who use a tormail address. I've never in the past tried to verify if the tormail is actually their own or if they just made it up... as it's not really important and many people just plain make up email addresses off the top of their head - as long as it's in email format, it really doesn't matter. But, just tonight, I found when signing into the SR Site, that there is a "Click for Security Alert" at the top of the page. Idk if you have already been there and read that thread or not, but in case you haven't, and I'm still trying to figure out how serious the problem is and who is and isn't affected (and I really don't know if it makes any difference at all when using a tormail just to fill in the email section when creating a PGP keypair or not)... but just in case as of now, I'd probably just to be on the safe side, make some email address that is not a tormail... just my suggestion... probably not necessary, but just wanted to mention anyway... good luck!
-
So if anyone can kindly help me understand the signature process I would appreciate it. Using tails.
For instance to verify DPR's signature. First I have imported his public key into my key manager. Next I paste his PGP signature into a text (gedit) file and save it. I right click and select "open with verify signature" which opens a file selection window, and at this point I'm lost as it seems regardless of what I select I get a "bad key" message. I've tried selecting the signature and the public key both and keep getting the same message.
What am I missing here?
If I understand your question correctly, (I realize that you are only using DPR's key as an example) you are saying that you aren't sure if you can properly verify if the person who sends you a PGP encrypted message is really who they say they are. Please correct me if I have it wrong!
If this is your only concern.. and I'm assuming it is the "bad key" message that you keep getting. Please don't worry about that. When the writers of the tutorials (usually on the clearnet) to explain the GnuPG programs that create PGP encrypted messages and how to use them, I believe they are mainly written for the general public who thinks they have no reason to hide their real identity (and of course corporations and legal businesses, etc... would want their true identity known). Therefore they include the "verify the key" instructions.
But here on SR, we don't use our real identities at all.. not to each other and certainly not to any lurkers who may well be LE and/or alphabet soups. So therefore, it's unlikely that any Public PGP key you find here will properly "verify". But you can tell if it's who they claim to be easily enough without using that feature you describe. For one thing, if you have already contacted the person using PGP about a particular thing, and they answer also in PGP appropriately, that is prettty good proof that they are indeed who they claim to be. Also, most of us use our SR username where they ask for "name" when setting up the keypair, as well as most of us use a fake email address. I don't know how everybody does it.. I've seen some with tormail email addresses with their username. You can find this info as well as their key identifier number after you import their public key by right clicking on the name on the key you just imported. It may vary a bit from program to program, but you should see someplace to click then that says something like "show key details". If you see the same name as the username of the person who claims to own the key and you have reason to be expecting to hear from them... or if they contact you about something that you would not find strange if you got the same message in plain text... then it is more than likely them. If you further want to be absolutely sure, you can send some sort of a reply back using that person's public key that they have posted here. If they reply, then you know it is the same person they claim to be as they woud be the only one with the other half of the key - the secret key as well as their passphrase that is necessary for the keypair to work.
Hope that made sense and is of any help to you.. :)
[EDIT]: I forgot to mention when I mentioned somewhere that I see a lot of other people's key details who use a tormail address. I've never in the past tried to verify if the tormail is actually their own or if they just made it up... as it's not really important and many people just plain make up email addresses off the top of their head - as long as it's in email format, it really doesn't matter. But, just tonight, I found when signing into the SR Site, that there is a "Click for Security Alert" at the top of the page. Idk if you have already been there and read that thread or not, but in case you haven't, and I'm still trying to figure out how serious the problem is and who is and isn't affected (and I really don't know if it makes any difference at all when using a tormail just to fill in the email section when creating a PGP keypair or not)... but just in case as of now, I'd probably just to be on the safe side, make some email address that is not a tormail... just my suggestion... probably not necessary, but just wanted to mention anyway... good luck!
Foxen624, thanks very much for you time and input here but no unfortunately this is not what I mean, and maybe I'm trying to do something that' impossible, idk.
I understand how to use someone's public key to encrypt a message sent to them that only they can read, and vice versa that someone uses my public key to generate a message that only I can read. That's pretty clear (took me a minute to figure out) but I understand it.
What I don't understand and am trying to figure out, is how you verify someone's PGP signature. So for example, as you mentioned the warning message on SR that directs to a post on the forum by DPR, he has his message then at the bottom he lists his PGP signature. How do you verify that his PGP signature is valid and that it's actually him (just DPR not the real ID of course) posting the message? I know he does this so anyone looking will be able to verify that PGP signature and confirm that is in fact the actual DPR and not some LE (or hacker I suppose) that compromised his servers and took over his account.
Maybe my understanding here is all wrong, and if that is case maybe the basic question I should be asking is, what is the PGP signature used for when someone posts it publicly as he does on most of his posts?
Thanks again for your help. This is one of the few things regarding the whole process that I don't quite understand, and I know it's really irrelevant in regards to placing orders etc... but like many on here, I want to know when we get a message from DPR stating it's really him and all is well, that it is in fact DPR, and I can verify this as others do.
-
What I don't understand and am trying to figure out, is how you verify someone's PGP signature. So for example, as you mentioned the warning message on SR that directs to a post on the forum by DPR, he has his message then at the bottom he lists his PGP signature. How do you verify that his PGP signature is valid and that it's actually him (just DPR not the real ID of course) posting the message? I know he does this so anyone looking will be able to verify that PGP signature and confirm that is in fact the actual DPR and not some LE (or hacker I suppose) that compromised his servers and took over his account.
Maybe my understanding here is all wrong, and if that is case maybe the basic question I should be asking is, what is the PGP signature used for when someone posts it publicly as he does on most of his posts?
DPR's public key that you imported into your key manager... that key itself must be "signed". Depending on the program you're using, it may only take something as simple as you right clicking on DPR's key and selecting "sign". Now when you go to verify something from him, if it matches that key you signed off on, it will tell you so.
But like the others were trying to tell you, there's more to it...
-
What I don't understand and am trying to figure out, is how you verify someone's PGP signature. So for example, as you mentioned the warning message on SR that directs to a post on the forum by DPR, he has his message then at the bottom he lists his PGP signature. How do you verify that his PGP signature is valid and that it's actually him (just DPR not the real ID of course) posting the message? I know he does this so anyone looking will be able to verify that PGP signature and confirm that is in fact the actual DPR and not some LE (or hacker I suppose) that compromised his servers and took over his account.
Maybe my understanding here is all wrong, and if that is case maybe the basic question I should be asking is, what is the PGP signature used for when someone posts it publicly as he does on most of his posts?
You are going around verifying the signature the right way, there's just a weird issue with his latest signed message, if you're copying it to verify (at least with a webkit-based browser). See the 2 spaces before "Of course"? One is actually a different space character when you copy it out of the browser; delete both spaces and then press space twice to add back normal spaces, and then it should verify, saying "Good signature".
That then proves that the person who wrote the message had access to DPR's private key. Which is hopefully just DPR.
-
What I don't understand and am trying to figure out, is how you verify someone's PGP signature. So for example, as you mentioned the warning message on SR that directs to a post on the forum by DPR, he has his message then at the bottom he lists his PGP signature. How do you verify that his PGP signature is valid and that it's actually him (just DPR not the real ID of course) posting the message? I know he does this so anyone looking will be able to verify that PGP signature and confirm that is in fact the actual DPR and not some LE (or hacker I suppose) that compromised his servers and took over his account.
Maybe my understanding here is all wrong, and if that is case maybe the basic question I should be asking is, what is the PGP signature used for when someone posts it publicly as he does on most of his posts?
You are going around verifying the signature the right way, there's just a weird issue with his latest signed message, if you're copying it to verify (at least with a webkit-based browser). See the 2 spaces before "Of course"? One is actually a different space character when you copy it out of the browser; delete both spaces and then press space twice to add back normal spaces, and then it should verify, saying "Good signature".
That then proves that the person who wrote the message had access to DPR's private key. Which is hopefully just DPR.
To Boaclon and all the others that helped me out...THANK YOU VERY MUCH!!!
First without pointing out the issue above of course I would have never figured this out, and it got me started down the path to complete understanding.
Of course it was a stupid newb issue that caused it, which was that I was taking the PGP message and attempting to decrypt it at the file level and not the text level, but never the less I understand now and without everyone here's help I would not have so thanks again!