Silk Road forums
Discussion => Security => Topic started by: flicky42 on October 28, 2012, 11:22 pm
-
Forgive me, I'm sort of a novice but I don't understand why SR doesn't use SSL? which this ensure better security between the exit node and the vender? I always use GPG but there are just so many people who don't on this website.
-
Forgive me, I'm sort of a novice but I don't understand why SR doesn't use SSL? which this ensure better security between the exit node and the vender? I always use GPG but there are just so many people who don't on this website.
The reason SR does not use SSL is because data going to .onion sites never leaves the Tor network, so SSL encryption would be superfluous. Data traveling within the Tor network is end-to-end encrypted already.
-
Yea but the exit node has no encryption so wouldn't SSL prevent man in the middle attacks to steal addresses?
-
Yea but the exit node has no encryption so wouldn't SSL prevent man in the middle attacks to steal addresses?
What I'm telling you, and what Damaged is telling you, is that SR doesn't use an exit node, and that SSL is therefore not necessary.
-
i could be wrong but isn't every connection you make to each node in the tor circuit an ssl connection?
-
So we do we use GPG if there is no exit node?
Hmm it seems I know much less about how all this works than I thought.
-
Let say that one of the vendors that you have been dealing with gets busted, and woe be them, they left their Silk Road account logged in or stores the messages somewhere else (encrypted of course). Now, if you send your addresses and messages to them in clear text Leo could easily read them as a bed side story. On the other hand, if you encrypt them using GPG, they have to get vendors private key and passphrase first.
-
i could be wrong but isn't every connection you make to each node in the tor circuit an ssl connection?
It's encrypted, but I don't believe it's an SSL connection.
-
So we do we use GPG if there is no exit node?
No. The encryption between Tor nodes is like SSL, in the sense that public keys are used. Unlike SSL, there is no visible evidence of this (i.e. no padlock icon). Like SSL, it is pretty-much transparent to the end user. It s like an automatic transmission in a car -- you don't have to worry about how the car shifts gears when needed, you just have to accept that it does -- it just works in the background.
GPG is used on here for 3 things:
- To encrypt PMs sent to other users on the system
- To encrypt address information sent to a vendor
- By DPR, when he PGP clear-signs a message, so everyone can verify that the message is genuine, and not forged.
The entire point of using GPG on here (and the Silk Road site proper) is to protect against unauthorized access to your data. In most cases, that is your address data. If either Silk Road, or the Forum were ever to be hacked, or worse yet, seized by the authorities, then GPG encryption would prevent the authorities from accessing that encrypted information. That is the primary use for it on here -- for privacy. If you encrypt your PMs, then no one except the intended recipient can read them, not the mods, not the Admins, not the authorities,
no one. That's why the use of GPG is encouraged here.
Hmm it seems I know much less about how all this works than I thought.
Some of this stuff _is_ a bit esoteric.
-
So we do we use GPG if there is no exit node?
Hmm it seems I know much less about how all this works than I thought.
you use gpg because even though the connection is encrypted all the way up to the server your message is not encrypted when it is on the server. GPG takes care of that.
-
i could be wrong but isn't every connection you make to each node in the tor circuit an ssl connection?
It's encrypted, but I don't believe it's an SSL connection.
Tor uses SSL
-
So we do we use GPG if there is no exit node?
No. The encryption between Tor nodes is like SSL, in the sense that public keys are used. Unlike SSL, there is no visible evidence of this (i.e. no padlock icon). Like SSL, it is pretty-much transparent to the end user. It s like an automatic transmission in a car -- you don't have to worry about how the car shifts gears when needed, you just have to accept that it does -- it just works in the background.
GPG is used on here for 3 things:
- To encrypt PMs sent to other users on the system
- To encrypt address information sent to a vendor
- By DPR, when he PGP clear-signs a message, so everyone can verify that the message is genuine, and not forged.
The entire point of using GPG on here (and the Silk Road site proper) is to protect against unauthorized access to your data. In most cases, that is your address data. If either Silk Road, or the Forum were ever to be hacked, or worse yet, seized by the authorities, then GPG encryption would prevent the authorities from accessing that encrypted information. That is the primary use for it on here -- for privacy. If you encrypt your PMs, then no one except the intended recipient can read them, not the mods, not the Admins, not the authorities,
no one. That's why the use of GPG is encouraged here.
Hmm it seems I know much less about how all this works than I thought.
Some of this stuff _is_ a bit esoteric.
+1 to you, thanks I think I get it now, or at least have a much better understanding.