Silk Road forums

Discussion => Security => Topic started by: LouisCyphre on July 30, 2012, 05:35 am

Title: PrivacyBox HOWTO: Alternative to Privnote for address data
Post by: LouisCyphre on July 30, 2012, 05:35 am
Before reading ahead I must stress that the solution I advocate is that BOTH parties in a transaction use GPG.

This solution guarantees one-way encrypted communication with a vendor and nothing else.  It assumes a buyer who, for whatever reason, can't or won't use GPG or PGP.  For two-way encrypted communication both parties must be using GPG or PGP.


REQUIREMENTS

1) Vendor with a working installation of GPG or PGP.
2) Vendor with a working Tor Mail account or other anonymous/pseudonymous email account.

Note: The PrivacyBox service supports S/MIME and unencrypted forwarding or email retrieval.  I do NOT recommend any of these options.  Buyers wishing to contact a vendor through PrivacyBox should confirm that the vendor does have a PGP key on their vendor page.


INSTRUCTIONS

Step One

Go to the PrivacyBox Tor page: http://c4wcxidkfhvmzhw6.onion/index.en.html

Note: PrivacyBox is maintained by the German Privacy Foundation and is available in German, French, Russian and Portuguese.

Then click on "Create account" link.

Step Two

Enter your Tor Mail or other email drop address and click the "next step" button.

Step Three

Enter a username (ideally one that matches or closely matches your SR username).

Enter a suitably complex password.

Step Four

You should be taken to the admin page, if not then login with the details you just set to get to the admin page.

You will see the URLs your PrivacyBox forwarding server can be accessed.  One of these is a Tor address.  Make a note of this for your vendor page or future communication with a buyer.

Step Five

In the "forward of incoming messages" section select the "forward to an externam mail account" and enter your Tor Mail address (remember it is now @tormail.org and not @tormail.net).

Note: if you are using an I2P address there is a special forwarding option below with specific instruction relevant to it.

Step Six

Below the "encryption of incoming messages" section is an area to "Upload your public OpenPGP key or S/MIME certificate" with a file selection tool.  Browse to the file for your public key (the same one which should be on your vendor page) and upload it.

Step Seven

In the "encryption of incoming messages" section select the "OpenPGP encryption" and tick the "enable Javascript OpenPGP encryption for the client web browser" box.

Then copy the OpenPGP key ID (e.g. 0x1234ABCD) for your key into the box.

Note: enabling the Javascript option only reveals your public key to the person using the form, so it should only identify the information already available in the key on your vendor page.  This option allows buyers using Javascript to encrypt the message at their end, otherwise the encryption will take place on the PrivacyBox server.  Users who do not have Javascript activated will have their messages ecrypted on the PrivacyBox server.

Step Eight

Click "check and update settings" and then logout.  You will receive a test message from PrivacyBox encrypted to the key you uploaded to your specified email address.

This is how all email sent through this form will appear so it is important to stress to buyers that they must include their SR username or other identifying code in the form or you won't know who the message is coming from.

Note: the PrivacyBox encrypted forwarding is normally used by privacy advocates, journalists and human rights groups to enable the delivery of anonymous and encrypted messages from whistleblowers and the like, as such all messages sent through the form have no identifying information.

Step Nine

Visit the Tor address you noted in Step Four so you know what your buyers will see and have a little play with it.

Remember, there were four addresses: 2 HTTPS URLs (one normal and one for mobile devices), a Tor address and an I2P address.  So if your PrivacyBox username is known you can be contacted anonymously from the clearnet and I2P.
Title: Re: PrivacyBox HOWTO: Alternative to Privnote for address data
Post by: LouisCyphre on July 31, 2012, 12:08 pm
I had forgotten about PrivacyBox.  +1

Cheers.  It's a wonderfully useful little site.

Oh, congrats on becoming a Hero Member.  :)
Title: Re: PrivacyBox HOWTO: Alternative to Privnote for address data
Post by: LouisCyphre on August 01, 2012, 10:16 am
Oh, congrats on becoming a Hero Member.  :)

Thank you. Another 80 posts, and you'll be there yourself.  At the rate you're going, it'll probably be about 2 weeks.

Than itself could be a bit of a disturbing sign.
Title: Re: PrivacyBox HOWTO: Alternative to Privnote for address data
Post by: LouisCyphre on August 01, 2012, 01:22 pm
Oh, congrats on becoming a Hero Member.  :)

Thank you. Another 80 posts, and you'll be there yourself.  At the rate you're going, it'll probably be about 2 weeks.

Than itself could be a bit of a disturbing sign.

Don't worry.... you'll never be as disturbed as me.

I wouldn't be so sure about that, but I'll cope regardless.  ;)