Quote from: om on July 16, 2012, 09:25 amI don't use PGP. I don't see the point... from my perspective1. take time to learn how to use pgp2. encrypt messages/delivery address, taking more time3. send to vendor who has to decrypt4. vendor prints out my plain text postal address and adds to the stack of other addresses sitting next to huge pile of drugs and money5. vendor gets busted, and I still don't get busted because I'm in a different countryCops in vendor's country don't bother bringing a case against you because it's not worth the effort, but they do trade the information to cops in your country in exchage for favours. Either that or the cops in both countries find a way to spin it into "an international conspiracy" and we might see you in thirty years.Quote from: om on July 16, 2012, 09:25 amIf there's some amazing advantage to PGP that I'm missing, please enlighten me.A long and robust history of code quality control with both PGP and GPG, although GPG probably has the edge these days since the code can be inspected by anyone and is frequently reviewed. It provides extremely strong encryption to anyone and everyone. It provides a mechanism to verify the author of a message and prevent impersonation (digital signatures). It can be used for the protection of any message based communication (you can use it outside of SR).The security built into SR is essentially a black box; we don't know what it is really capable of or whether there are any vulnerabilities. Vendors and buyers using GPG are protecting themselves against that possibility, even if it is a slim one.Quote from: om on July 16, 2012, 09:25 amTOR traffic is already encrypted, is it not?Yes, but it was never intended to be the complete solution to all circumstances. If it was then Jacob Appelbaum wouldn't have a GPG key.Quote from: om on July 16, 2012, 09:25 amPlus it wouldn't be too difficult for SR to implement, there are javascript implementations of PGP around. The text fields could automatically be encrypted/decrypted...A javascript implementation might meet your security requirements, but it doesn't meet mine. By the way, if you check the code on SR you'll notice that there isn't any javascript on the site. This is not an accident. In order to prevent the sort of vulnerabilities that extensive use of javascript often leads to these functions would have to be moved server side, at which point a great deal of the advantage is lost. Any OpenPGP implementation which leaves private keys or passphrases or both in the hands of a third party (e.g. a server), or is able to be used in that way, is inherently flawed.