true which is why I said if SR required you to login to see threads, it would be much more risky. Since you can anonymously verify your posted GPG key, it makes it much harder to MITM without being detected. If vendors and customers only transfer public keys via the PM system and not publicly posting them in a thread or profile, it would also be much more vulnerable to MITM attacks. It's also a good idea to verify fingerprint of OTR keys over multiple channels (different exit nodes, different servers) for the same reason....but hardly anyone does this.