Silk Road forums
Discussion => Security => Topic started by: abby on July 27, 2013, 11:17 am
-
I was having a closer look at gpg4win the other day and started looking at the key server. It appears that only the public key part is loaded and can be retrieved and retrieval is beautifully quick and easy compared to creating a text file and loading it.
Which got me thinking about its use for vendors here. If vendors loaded their key and gave their key ID on their vendor page, it might make people use encryption more because it is so easy to get the key.
but what are the risks to loading it? I can't find anything on what data the server stores so I don't know if doing it would expose anything. I would assume that they don't store anything more than the key details because of the known users (dissidents etc) but I just don't know.
Also, I keep finding conflicting information about the individual key servers that are around. I read that they share their keys, so it doesn't matter which pgp vendor is used, anyone can access it but then I also read that they stay on the individual vendors server.. Does anyone know which is right? If they are shared then it doesn't matter what flavour of pgp you use as you should be able to access the key.
If there is no risk and keys are shared it may be another way to encourage people to use encryption. I know I'd certainly look more favourably on a new-to-me vendor who had a key ID rather than having to jig around with the text file.
So, does anyone know the answer to my questions?
-
The risk is that key servers log IP addresses, like 99.9% servers on the inernet. So if you are a vendor and you upload your key over clearnet and tell everyone to get your key from that key server, then LE can go to the server operators and ask which IP that specific request came from. Even if the vendor used a proxy, LE could enumerate some of his buyers by looking at which IPs have been retrieving the key.
You can configure some PGP clients to use proxies. In fact, you can configure them to connect over Tor if you use an HTTP proxy to forward to Tor's SOCKS port, but there's way too much risk of fucking up for the average person to do that.
You should do not use key servers for any SR related activity. Vendors should never use key servers, and therefore buyers have no reason to use them, as they shouldn't.
-
It does seem risky. I can't see it making it easier really, because you'd have to copy and paste the keyid anyway, so why not just copy the vendor's key and 'import from clipboard' in GPG4USB?
-
The risk is that key servers log IP addresses, like 99.9% servers on the inernet. So if you are a vendor and you upload your key over clearnet and tell everyone to get your key from that key server, then LE can go to the server operators and ask which IP that specific request came from. Even if the vendor used a proxy, LE could enumerate some of his buyers by looking at which IPs have been retrieving the key.
You can configure some PGP clients to use proxies. In fact, you can configure them to connect over Tor if you use an HTTP proxy to forward to Tor's SOCKS port, but there's way too much risk of fucking up for the average person to do that.
You should do not use key servers for any SR related activity. Vendors should never use key servers, and therefore buyers have no reason to use them, as they shouldn't.
Thanks, that's pretty definitive. :)
It does seem risky. I can't see it making it easier really, because you'd have to copy and paste the keyid anyway, so why not just copy the vendor's key and 'import from clipboard' in GPG4USB?
I use the gpa app of gpu4win and that has no feature I can find to import from the clipboard. Which is why I was looking around. The only way I've worked out to get the things in is by creating a text file and loading it.
-
At the moment this is not possible but in the future when quantum computation technology really comes to fruition, the public key will make their jobs finding your private key a lot easier because it could mathematically be deduced.