Silk Road forums
Discussion => Security => Topic started by: gentlemanscholar on July 30, 2013, 04:34 am
-
Hey guys, new account here since it'll leak my identity.
I've put together an alternative to privnote as a hidden service, and you can use it at this link - http://dead6nxjwxfejydb.onion
It encrypts client-side and doesn't store the plaintext or decryption key. You can check the network traffic to ensure that.
I'm well aware that this app doesn't address all the privacy concerns, and that local PGP is substantially better. This is a first step in the right direction. I'm going to build PGP encryption into the app - it'll basically be like ask.fm, but encrypted. You'll be able to create a personal message bucket by uploading your public key. You can decrypt your messages completely locally if you're very privacy-conscious, and if you're more concerned with ease of use, I'll also build in HTML5 local storage and client-side browser decryption to make things simpler.
We've got to live with the fact that there are plenty of noobs around, and many of them are going to do what is easiest. A safer private message is a start, and easy, browser-based pgp encryption is a good follow-on. This will help them help us to maintain more of our collective security.
Looking forward to feedback,
GS
-
It's a nice web site.
Your next job is to convince me that you are not the FBI.
-
It's a nice web site.
Your next job is to convince me that you are not the FBI.
+1
In all honesty good job for creating something that is much needed. I'm sure there are new members that will avail of this.
-
Thanks, I know it's hard to put trust in an unknown site. I left the javascript un-obfuscated so that folks can verify it is safe if they want. And as I mentioned before, you can look at the network traffic to double-check as well.
Any ideas on other things that I could do to address the trust issue?
GS
-
It would be great if there was a Firefox / Tor Browser add-on that could generate a hash of a web site's JavaScript and store it, and if it changes, it would pop up a big notification, warning the user that the JavaScript has changed. Of course, then you would have to trust the add-on maker.
There are only four people that I trust in onionland, and they have all been around for over a year: DPR, the Bitcoin Fog admin, the Freedom Hosting admin, and maybe the Tormail admins. Any of them could go rogue or their servers could be taken over by LE in the future, but for now them seem legit. I don't trust random newbs who provide services, but I'm sure you'll find plenty of users among the Privnote crowd. A lot of people in this community don't care about their security and are willing to increase their attack surface with untrusted third parties (like you) for a little convenience.
-
One way to solve the trust issue is for you to release all the source code so anybody can setup his own site and use it without trusting in you.
-
Fingerprinting the javascript isn't an ideal solution, because then it would throw up warnings every time I updated the site, which will be quite frequent as I fix any bugs and add new features.
I'm glad to share the source privately with astor or another established forum member, but I don't want to publicly release it.
I've been working on the PGP portion of the site, and hopefully will have it out by next week.
GS
-
Hey guys, new account here since it'll leak my identity.
...
Looking forward to feedback,
GS
Just a little feedback here:
One is lead to wonder, "Why does it matter that your identity be leaked?" If, say, your SR forum identity is known (and trusted?) and your hidden service is legit, then why would you not offer a method to prove your identity to the people here who may possibly want to use yur service? Let's say that you are really Ashkar, and the SR forum community trusts Bella (who knows and trusts you as Ashkar). Therein, you could privately communicate with Bella so that Bella would publicly vouch for you. Another spin, and I see no reason for you to mask your identity unless of course you are completely new here and no one has established trust with you.
What do you know of psyops?
-
every time I updated the site, which will be quite frequent
That's why I've always been against web services like this. You don't know which of those updates might include malicious code, and you'd have to audit the code every time, so it ends up being less convenient than a desktop PGP app. The code in my desktop app changes a couple times a year, but it's also released to a much larger group of people who will audit it for me. Millions of people use gpg.
-
I created a new account since I'm making deadletter available via tor and clearnet, and it is trivial to look up the details behind dns records. I have other accounts and there is mutual trust between myself and other users, but it's better for all of us if we keep our identities private when we can.
I agree that the desktop PGP app is a good choice for vendors to decrypt their messages. I will be continuing to use desktop PGP myself - the site isn't a replacement for that. deadletter is on the other side of the fence - the primary use is for users to send encrypted messages to vendors conveniently without having to learn how to use PGP themselves.
To that last point, I've just added dead drop functionality - you can create a URL using your PGP public key, and users can send encrypted messages to you without having to download anything. Everything stays encrypted on the server, and since it doesn't have your private key, your messages stay private.
If you want to take a look at the updates: http://dead6nxjwxfejydb.onion/#/ or https://deadletter.io/#/
GS
-
Oh god, you have a clearnet site too. Aren't you worried about becoming a target of LE? Especially by posting here, you are openly providing support for criminal activity.