Silk Road forums

Discussion => Security => Topic started by: aceeca on July 13, 2012, 03:16 pm

Title: Question for sellers regarding PGP
Post by: aceeca on July 13, 2012, 03:16 pm
Is it cool to use privnote.com rather than a public key? It's all I've ever used and haven't had any problems yet.
Title: Re: Question for sellers regarding PGP
Post by: LouisCyphre on July 13, 2012, 03:43 pm
Is it cool to use privnote.com rather than a public key? It's all I've ever used and haven't had any problems yet.

There are some threads in the Security section on just how awful privnote.com is.  I wouldn't want to bet my liberty on that site.
Title: Re: Question for sellers regarding PGP
Post by: ccxv01 on July 13, 2012, 03:48 pm
https://www.igolder.com/PGP/encryption/

You can encrypt to sellers without downloading anything. Just use that.
Title: Re: Question for sellers regarding PGP
Post by: LouisCyphre on July 13, 2012, 03:59 pm
https://www.igolder.com/PGP/encryption/

You can encrypt to sellers without downloading anything. Just use that.

I'd be cautious about any external site taking care of the encryption or decryption process for you.

You're much better off in the long run installing and learning the GPG software.
Title: Re: Question for sellers regarding PGP
Post by: aceeca on July 13, 2012, 04:18 pm
Do you think privnote.com in combination with https://www.igolder.com/PGP/encryption/ would be adequately safe?
Title: Re: Question for sellers regarding PGP
Post by: club on July 13, 2012, 04:37 pm
You being in trouble with the law is at stake.
PGP has never been cracked. As I recall MIT even held a worldwide "contest" with a huge money prize if someone could crack a PGP encrypted message and no one ever could.
Who knows if the same can be said about privnote?

I think the answer is obvious.
Title: Re: Question for sellers regarding PGP
Post by: LouisCyphre on July 13, 2012, 04:48 pm
Do you think privnote.com in combination with https://www.igolder.com/PGP/encryption/ would be adequately safe?

Nope.  Both sites have the potential to retain plain text of the messages you create and the igolder.com site could also store your private key and passphrase if you create your keypair there or decrypt messages there.
Title: Re: Question for sellers regarding PGP
Post by: LouisCyphre on July 13, 2012, 05:19 pm
pgp is a cryptographic suite, not an algorithm so there's nothing to crack ;)

Heh.  Pedant.  :)
Title: Re: Question for sellers regarding PGP
Post by: joepinko on July 13, 2012, 08:27 pm
Wouldn't it be safer to use just plain text over SR rather then privnote?
Title: Re: Question for sellers regarding PGP
Post by: jameslink2 on July 14, 2012, 01:51 am
The odds of Silk Road being compromised are low, but non-zero.
low?! are you aware of the vuln history of this site? :P

http://dkn255hz262ypmii.onion.to/index.php?topic=3295.0
http://dkn255hz262ypmii.onion.to/index.php?topic=3304.0
http://dkn255hz262ypmii.onion.to/index.php?topic=3445.0

i've been pentesting the site for $ from admin for a while now and imho it's still held together by baling wire and prayers

Those topics are the perfect example of why EVERYONE should be using PGP/GPG!!!!!!!!!!!!

Thank you
Title: Re: Question for sellers regarding PGP
Post by: LouisCyphre on July 14, 2012, 04:01 pm
Those topics are the perfect example of why EVERYONE should be using PGP/GPG!!!!!!!!!!!!

Exactly!
Title: Re: Question for sellers regarding PGP
Post by: mushitup on July 15, 2012, 05:42 am
When I open a privnote link in the browser I use for SR it comes up blank and deletes the link.  It's a cool idea but a horrible implementation with all the scripting involved among other things listed above.

Any orders placed with a privnote link in the address field get cancelled on my end, it's annoying.  PGP is easy enough to implement if you're worried about using plain text on SR, please do.
Title: Re: Question for sellers regarding PGP
Post by: joepinko on July 16, 2012, 11:26 pm
But isn't the plain text address deleted after the sale is completed?

Do not get me wrong, I am not saying to not use PGP.
Title: Re: Question for sellers regarding PGP
Post by: jameslink2 on July 17, 2012, 12:36 am
But isn't the plain text address deleted after the sale is completed?

Do not get me wrong, I am not saying to not use PGP.

Yes it is, however, if LE or a hacker were to breach the security of a vendor account they would have full access to your address. If you use PGP to encrypt the address then the vendor is the only one that can view it because he has the key.

It is also noted that SR has had several vulnerabilities in the past. Ones that could have conceivably allowed a hacker, white hat or black hat, to access some information.

It is safer all the way around if buyers use pgp.