Silk Road forums
Discussion => Security => Topic started by: foxen624 on July 29, 2013, 04:35 am
-
I recently ran across a vendor who had a listing for something I am looking for. He/she has a PGP key on the item description page and indicated to use it to encrypt messages. Anyway, I imported it so I could send the vendor a message and after I had imported the key, I saw on the key info that it had what looked like a real clearnet email address. Had a real person name on the key (not close the vendor name) and the name in the email address was obviously an adaptation of the name in the key.
I may be over-reacting, but I got nervous about having imported the key at all, so immediately deleted it. Then I went to one of my tormail addresses and sent a "test" email to the email on the key (hoping it would bounce back as undeliverable).. but it's been over an hour and it hasn't bounced. So, how risky (if at all) to my own security is it have had that key imported to my virtual keyring - even for a few minutes?
Thanks to anyone who can let me know...
-
some people create their PGP keys with a fake email addy....i suppose if done through tor....made the email account and they never go to it from the clearnet....it'd be ok....i cant see how having their key would put you at risk ???
Just use your good judgement and follow your gut feelings...
Good Luck & Be safe!!
Peace & Hugs to ya :)
ChemCat
O0
-
I recently ran across a vendor who had a listing for something I am looking for. He/she has a PGP key on the item description page and indicated to use it to encrypt messages. Anyway, I imported it so I could send the vendor a message and after I had imported the key, I saw on the key info that it had what looked like a real clearnet email address. Had a real person name on the key (not close the vendor name) and the name in the email address was obviously an adaptation of the name in the key.
I may be over-reacting, but I got nervous about having imported the key at all, so immediately deleted it. Then I went to one of my tormail addresses and sent a "test" email to the email on the key (hoping it would bounce back as undeliverable).. but it's been over an hour and it hasn't bounced. So, how risky (if at all) to my own security is it have had that key imported to my virtual keyring - even for a few minutes?
Thanks to anyone who can let me know...
The risk from importing such a key with a clearnet email address is essentially zero -- I wouldn't worry about it. I hope that when you sent the test email, you used a tormail address that you haven't used for anything important. While I think that the vendor's use of PGP is commendable, I fear that their use of a clearnet email address indicates that they likely have not paid enough attention to security as they ought to have.
PM me with the vendor name and email address, and I'll see if I can help get them straightened out.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Thank you Nightcrawler, I will PM you with the info. As far as the tormail I sent the "test" email from, I've got several for various reasons, and the one I used [deliberately] is one that I'd made a while back, then never used. I don't intend to use it again, and there is nothing in the name that is remotely close to my SR & SR Forum username ..
some people create their PGP keys with a fake email addy....i suppose if done through tor....made the email account and they never go to it from the clearnet....it'd be ok....i cant see how having their key would put you at risk ???
Just use your good judgement and follow your gut feelings...
Good Luck & Be safe!!
Peace & Hugs to ya :)
ChemCat
O0
Thanks Chem, I was concerned because it is a gmail account.... but you and Nightcrawler have put my paranoia to rest.. ;)
-
You're Very Welcome :)
-
You should read StExo's last security audit, which was stickied in this subforum for a while.
I imported 1020 vendor keys a while back and analyzed them for stuff like valid clearnet email address. I think there were about 50 valid addresses that I found. However, just because it's valid (which you can check without sending an email, btw), doesn't mean it belongs to them. They may have accidentally or intentionally used an address that belongs to someone else. They have plausible deniability in that sense, unless LE wants to go on fishing expeditions.
It is a bad practice anyway. You should register an email address for SR purposes only and put it in your PGP key so customers can contact you when the SR server goes offline, as it has for extended periods on several occasions. Then that info is actually useful.
You can set up a clearnet email account over Tor with some providers. There's at least one thread about that on the forum already. Or you can create a Tormail account, which may be the best option, but Tormail has experienced unreliable uptime in the past
-
I did.. read the thread you're talking about. Lots of good info in there.. I'm not an expert on security (though I wish I were) like you and a few others I've noticed on here, but am fairly sure that I was not one with the blunders StExo mentioned... and hopefully not the ones he didn't mention.
But yeah, it was after reading that that I upgraded my own PGP key from 3072 bit (the highest that was offered by kleopatra) and went with GPG4USB and the 4096 bit encryption key. I'm always willing to learn and understand as much as possible about security - I fully believe in being overly cautious than not careful enough. Which is why I made OP here.
Anyway, you're right, someone could use a real gmail account that belongs to someone else - though I don't really see why they would - seems as if using someone elses email address would only be asking for trouble? And.... I'm sure there are other ways to find out if an email account is real or not w/o emailing it.. but I didn't take a lot of time to check into other methods, I'd already deleted the key out of my paranoia-by-nature because I wasn't sure the implications at the time, and I have a couple of Tormail accounts that I'd created at some point for other purposes that I never ended up using, so sending an email from an unrelated account to see if it bounced or not was the first thing that came to mind is all...
However, you did point out something else that I'd not thought of. In my own PGP key, I used my username with a totally made-up email address. I had not thought that it was necessary to use a real tormail, although I do have one for SR which I think I have in my account info on the SR site (I'll have to double check that it's there). But... according to you, I'm thinking that I should replace my fake email address in my PGP Key info with my real SR tormail. Wouldn't I have to make a whole new PGP key though? If you think it important that I replace it, I will as I can tell you are very knowledgeable.. if you get a chance, let me know on that.... if you don't mind, O.K?
Thanks for your informed input. I enjoy reading your posts, too as you seem to have so much knowledge to contribute! :)
-
Anyway, you're right, someone could use a real gmail account that belongs to someone else - though I don't really see why they would - it's easy enough to just make up a fake one for the PGP key info, it's not like anyone needs to use it. Besides... seems as if using someone elses email address would only be asking for trouble?
There's an old saying in behavioral psychology that under carefully controlled conditions, the animal will do as it damn well pleases. :)
When people use a PGP app for the first time, they see that "Email Address" field and interpret it in different ways. Some are informed enough to register an email address (usually a Tormail address) specifically for SR, and put that in their key. Others put completely fake info that doesn't look like an email address. Others, perhaps thinking they are being clever, put a fake address that looks like a clearnet address. If you pick a random address for Gmail or Hotmail, chances are pretty high someone has already registered it. I figure that's what happens quite often.
Thanks for your informed input... I enjoy reading your posts astor. You have so much to contrubute!
Little things like this keep me going. I'm glad a lot of people find my posts useful. Thanks man. :)
-
Your posts are totally useful!
I see what you mean about people interpreting whatever they want about what to put in the email field in the PGP app.. I'm not sure if I fit into any of your scenarios. I just made up one that fits the format of a real email address, but I highly doubt it actually exists: foxen@unrealemail.org
I tend to refer to myself publicly as "paranoid", but that's not really accurate. It's more like I'm just really private and don't like to share even as much as my last name (never have since childhood) with anyone unless absolutely necessary.... and that's been since long before I had a real reason (like doing as I please and keeping my freedom). So, over the years, I've registered many, many clearnet gmails, hotmails, yahoo mails, etc... and not a one of them has my real info attached to it. I've got a drawer full of old disposable phones (net 10 and the like) that I've used for various purposes, one being when I have to register a mobile number for a website, email account, etc... just to get a confirmation text...
But yes, I do have a Tormail "registered" just for SR - being that "registered" requires no more than a username and password. I checked my account info and it's in the SR forum account settings... didn't see a place on the SR page as I'd thought to put an email address. But I'm still wondering if I need to include it in my PGP key info rather than the fake I mentioned... or just leave the key alone as is....???
-
I would say if ever e-mailing to the address in the PGP key obviously encrypt your message using that public key. That way at least you would know if the recipient has the corresponding private key.
-
I would say if ever e-mailing to the address in the PGP key obviously encrypt your message using that public key. That way at least you would know if the recipient has the corresponding private key.
Yeah... that would have been a good idea, but there's plenty of other vendors offering the same thing and I've already deleted his key, so... just going to go with someone else.
-
But yeah, it was after reading that that I upgraded my own PGP key from 3072 bit (the highest that was offered by kleopatra) and went with GPG4USB and the 4096 bit encryption key. I'm always willing to learn and understand as much as possible about security - I fully believe in being overly cautious than not careful enough. Which is why I made OP here.
That wasn't necessary. You can create 4096 PGP Keys with Kleopatra/GPG4Win.
Guide for doing so posted below.
<Clearnet> https://blog.christopherburg.com/2013/06/05/encrypt-everything-installing-gpg4win-for-windows/
-
Thanks Vanquish - appreciate it. But actually, I feel more comfortable with GPG4USB. Something doesn't feel quite right to me about how Kleopatra seems to take about 2 seconds to create a key pair. Seems as if it should take a bit longer than that - as does GPG4USB. And, I also like having it on a removable USB anyway instead on directly on my machine. But I do appreciate you having taken the time to offer some info. Thanks again :)