Silk Road forums
Discussion => Security => Topic started by: hitit on August 21, 2013, 04:30 am
-
Hello fellow Silk Roaders!
I have been absent from the forums as of late as I have been attempting to sort my own security out before heading over to the newbie section and doing my bit for the community by helping with the newbie PGP club etc.
In this process I have updated my PGP key to 4096 bits as has been suggested. I have just discovered through a Google search that the fake email address I used actually contains a genuine URL of a random website. Should I be concerned at all? Is there anyway they can identify my PGP key or the fact that I am using PGP? Should I go create a new key with a different email address or is it all good??
Thanks in advance for any help/advice!
-
Should be fine.
Just make a new one though.
-
I have just discovered through a Google search that the fake email address I used actually contains a genuine URL of a random website. Should I be concerned at all?
You're fine, no need to change that. The only purpose of the mail address is to find your public key more easily when you upload it to a key server.
I hope you googled that through Tor, because otherwise you just linked that email address, the PGP key and probably your silk road name with your IP and your real identity. Theoretically at least, it's a somewhat paranoid thought!
-
Hello fellow Silk Roaders!
I have been absent from the forums as of late as I have been attempting to sort my own security out before heading over to the newbie section and doing my bit for the community by helping with the newbie PGP club etc.
In this process I have updated my PGP key to 4096 bits as has been suggested. I have just discovered through a Google search that the fake email address I used actually contains a genuine URL of a random website. Should I be concerned at all? Is there anyway they can identify my PGP key or the fact that I am using PGP? Should I go create a new key with a different email address or is it all good??
Thanks in advance for any help/advice!
Should be fine. As others have said it's just an identifier so I can do `gpg -se -r your@email.com` Mine still has a tormail com email which I registered to make sure no one else got it but otherwise never use. I've seen people use "username@sr" before if you're looking for something to change it to. Good news is you can change the email of an existing key and then just re-export your public key and it will have new email. Although keep in mind people that don't update the key will still see the old email. But both the key fingerprint and key id (which is just the last (or is it first?) 8 characters of the fingerprint) won't change no matter what you make any of the other values. It's why whenever I send messages I've pgp encrypted I put at the bottom the key fingerprint. Granted since I'm signing these the receiver can verify my key through that as well.
-
Thanks for all the help everybody - appreciate it immensely :)
-
Hello fellow Silk Roaders!
I have been absent from the forums as of late as I have been attempting to sort my own security out before heading over to the newbie section and doing my bit for the community by helping with the newbie PGP club etc.
In this process I have updated my PGP key to 4096 bits as has been suggested. I have just discovered through a Google search that the fake email address I used actually contains a genuine URL of a random website. Should I be concerned at all? Is there anyway they can identify my PGP key or the fact that I am using PGP? Should I go create a new key with a different email address or is it all good??
Thanks in advance for any help/advice!
... It's why whenever I send messages I've pgp encrypted I put at the bottom the key fingerprint. Granted since I'm signing these the receiver can verify my key through that as well.
I would STRONGLY advise against signing any messages you send -- this does double for messages containing incriminating information, such as an order from a vendor. The reason I say this, is that signing utterly destroys any plausible deniability that you may ever have had. Remember, once a message is signed, and the signature verifies, it cannot be disavowed, unless you try to claim that your private key and passphrase were somehow compromised. Remember, digital signatures are acceptable in court as valid.
That said, there are exceptions to this rule, of course, e.g. when DPR signs one of their statements.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
@Nightcrawler
Very insightful mate, thanks for adding that! I've never thought of this. I'm glad I've never bothered to sign any messages in the past now.
-
I'm using gpg4usb, looks like a 2048 key.. Anyone know if I can switch it?
-
I'm using gpg4usb, looks like a 2048 key.. Anyone know if I can switch it?
Make a new one, it's the only way. 2048 bit keys will be cracked soon.