Silk Road forums

Discussion => Security => Topic started by: brodels on November 05, 2012, 04:34 am

Title: PGP absolutely necessary 100% of the time?
Post by: brodels on November 05, 2012, 04:34 am
I made a purchase today. The seller's PGP code won't work. I could tell before I sent the encrypted message. It didn't show their email under PUBLIC KEYS. It just showed their username. They messaged me that my encrypted message didn't work. They said to try again or just message them my address without PGP. I tried a couple times and I definitely copied their code correctly.They are a  new seller with 27 transactions. Maybe I'm being paranoid but it feels a little sketchy. Do most of you follow strict guidelines to only enter your address when encrypted or do you not mind to put it out there without encryption?
Title: Re: PGP absolutely necessary 100% of the time?
Post by: thesearstower on November 05, 2012, 05:36 am
PGP exists to protect you. If SR is compromised, then all info passing through SR can also be expected to be compromised. This means that if you send your address plaintext, anyone can read it. If you encrypt it with PGP, then only someone with the corresponding private key can read it. It keeps your informaiton top-secret until it gets to your vendor.

I've seen a number of PGP keys without attached email addresses.

In the grand scheme of being an SR vendor, PGP is very easy. If a vendor wasn't able to properly figure out something as simple as creating and using a PGP keypair, then what is the likelyhood that they're going to be able to do the other, more complicated tasks, like: a non-static stealth packaging solution, proper handling of orders and addresses, proper wiping of sensitive data, insulation from LEO, etc, etc? It doesn't inspire confidence.

It's up to you to keep yourself safe. I don't do business with vendors who don't use PGP. It's not a guarantee of safety, but it's a step in the right direction. If i were in your shoes, I'd find a new vendor. There are lots of great vendors on SR, and anyone who's worth doing business with will probably not needlessly endanger your safety.
Title: Re: PGP absolutely necessary 100% of the time?
Post by: Nightcrawler on November 05, 2012, 06:50 am
I made a purchase today. The seller's PGP code won't work. I could tell before I sent the encrypted message. It didn't show their email under PUBLIC KEYS. It just showed their username. 

All your statement above shows is that you simply do not understand what you are doing. You do NOT have to put an email address on a PGP key. I don't.

gpg --list-keys nightcrawler
pub   4096R/BBF7433B 2012-09-22
uid                  Nightcrawler <Nightcrawler@SR>
sub   4096R/FF98C3EA 2012-09-22

No email address here.

They messaged me that my encrypted message didn't work. They said to try again or just message them my address without PGP. I tried a couple times and I definitely copied their code correctly.

You may have copied their key correctly -- that doesn't mean that you encrypted the message correctly. There is a thread here on the Forum for posting your PGP keys, and another for sending and receiving encrypted messages so you can learn how to properly use the software.

It's entirely possible that you encrypted the message to the vendor using only your own PGP key -- it's an error frequently made by new PGP users.

They are a  new seller with 27 transactions. Maybe I'm being paranoid but it feels a little sketchy. Do most of you follow strict guidelines to only enter your address when encrypted or do you not mind to put it out there without encryption?

The sketchiness of the vendor simply doesn't enter into it.  The rationale behind using PGP to encrypt your address information is to prevent LEA or hackers gaining access to your information, should the SR servers ever be compromised. Whether encrypted or not, the vendor is always going to have access to your address information -- if they did not, they would not be able to ship you your order.

Title: Re: PGP absolutely necessary 100% of the time?
Post by: CoolGrey on November 05, 2012, 10:58 am
Everything the two people above me have said is correct. Using PGP is very much recommended.

Here is my public key. Send me a message to see if you do it right.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQENBFBgoVUBCAC158K+JwaVN1fZkTh8GejvBO0VBcaSuC5R/9xgCK6wY26guQJ4
RIDFXfa3DNImyPr52SBurAoQ9ig+S8vfThuKpT1f2Uz7NoX465Ycxb8mEx5KfDXy
qwgM7e1F4uQ9xgfPgvnNJ9SgXta22yw+n6+3Y+QAAdgqpgqS3OCMk88ew+rsdv0j
7BGgOZnS0Ac/hWzq50NRbkOH4O8aqL1Kcwbwt7lV/wcRU876zT18UPHOvJFVXh/p
t+IvI5eN3miSseoF98i1tyGw0LoGdm/Z8Vlp/f/GLeGia10pcSJMPvzJdm6v4BH3
9WnN0qeWJqZ11yjkMJbUYTL4yAeRg1DcVAunABEBAAG0H0Nvb2xHcmV5IDxjb29s
Z3JleUB0b3JtYWlsLm9yZz6JATgEEwECACIFAlBgoVUCGwMGCwkIBwMCBhUIAgkK
CwQWAgMBAh4BAheAAAoJECYl9M0FAudmlUMH/iXp0G5SMVRA2BTRVXrQwA30SCRm
VY8eyqpsTdTBKr+1vRyoMFj7LstNMx77gs/XleNcwlNC8+svB5U0R1nW5M0mSBLG
/TvBIpgSNCn2PQlk1N23wYlblMP3B+zLzEnidw7ToQaFQgOIvHxYZyj1b+o8ivex
9vgI5aoylLbt+oFZ3QR6zoQg5nDFDwaAe6vglO2CiiDSGej+U/3h/B+gkS/tXM4p
DiQRhG5QZPlfnSiJdD+HZj43pQ3zfWx1Ii2zLx9xhTrUoexAEGckim4gx9m8N4et
936ZoddukWgHjTTqEjqqqhP7Jyvi+M4eZNauFPGqionnq4WnZgC9rgjGvj+5AQ0E
UGChVQEIAM86L0x9/xfhB91Hy+pXjzftFzDkzAgImdYZBxBZY6yZqe4aw1q4/gd+
4dGu3ABFHKmTeCbw57xCAlghYWfBsBycEdx6Lgco+BAFmT1nbYp0qk/Nh7Y7GbG2
G38D6V3ligGezGj5hP1Y//SmB8mhfJT3XOJkGJryBzyJW5HvlaBmu1Lq2xKZoh9s
zF+SceWSkyQdhvscTu1ExDvIuCpulBDXMaOq2O8il6EYB9FOsS4FJd9S42N3Mzpu
84yQT4ScKo00n5iijgjMFeUab4KrwDMD4Q3ia1vQ+uzKQM/Xo0NwE9H+5YPPbZnG
QGdN1dU6OS1ntb16UY18L8e7PCazoukAEQEAAYkBHwQYAQIACQUCUGChVQIbDAAK
CRAmJfTNBQLnZtDIB/9XWNWoplg3FrJMQPeeRAfKA9kOXT7+YEU9/O3eeWsg+CLF
fAY5mr6jcEwCbdRV54azqMUFVQRXM9ug03ijHmBoI93hpqD7XRSOUJhFjRPe6X62
MMK0/MMFQYMyBx8knCA9tqqWKDLYvv/Ed6DoWRUkrFob7AzGbYG2jocxAHr8u+QP
R02EyqcC2EDQ7NK79GbiejbxU1CG63r9hlBfjMbd0y7spmAiU+C/vsdIM/wiGDjZ
kxVU0w2xPS3FrAMI+1NLE5FeY/SmW2a6P3CXHAi88/npA9+8Rznf0zk9g3eGyz4y
iNq5jnkGCzEAUstRF930quGiIWc5covG5hxnbFQF
=1Sqr
-----END PGP PUBLIC KEY BLOCK-----