Silk Road forums

Support => Feature requests => Topic started by: genius on October 30, 2012, 11:39 pm

Title: SR Owner Authenticated Messages
Post by: genius on October 30, 2012, 11:39 pm
First off, apologies if this feature already exists, but I don't see it so thought I'd suggest it. And I think given the nature of the site, it is a basic necessity.

In the event that the site ever gets compromised, there needs to be a way for the site to be authenticated to users so that they know whether or not to use it.

I suggest encrypting a time-limited message with the site owner's private PGP key.
Every week, (or at least month) the message should be replaced with an up to date encrypted message.
A link to this time-stamp should be clearly posted on the site homepage, as well as the owner's public key.

If the site gets compromised, the attacker wont be able to replace the message since they won't know the private key, and users can easily see that the message is gone or expired.
Any notifications of changes to the message system would obviously need to be signed / encrypted with the same key too.

Sorry, if I have come across patronizing, I admire what you have done with the site and only want to make it more resilient.
Title: Re: SR Owner Authenticated Messages
Post by: SelfSovereignty on October 30, 2012, 11:56 pm
First off, apologies if this feature already exists, but I don't see it so thought I'd suggest it. And I think given the nature of the site, it is a basic necessity.

In the event that the site ever gets compromised, there needs to be a way for the site to be authenticated to users so that they know whether or not to use it.

I suggest encrypting a time-limited message with the site owner's private PGP key.
Every week, (or at least month) the message should be replaced with an up to date encrypted message.
A link to this time-stamp should be clearly posted on the site homepage, as well as the owner's public key.

If the site gets compromised, the attacker wont be able to replace the message since they won't know the private key, and users can easily see that the message is gone or expired.
Any notifications of changes to the message system would obviously need to be signed / encrypted with the same key too.

Sorry, if I have come across patronizing, I admire what you have done with the site and only want to make it more resilient.
Well, that could work, if they didn't get DPR (Dread Pirate Roberts) when they got the server.  If they did get him, I'd fully expect him to comply with their demands for all decryption information.  Apparently they can do that -- demand you provide your password or they hold you in contempt indefinitely.  Pleading the fifth I guess doesn't apply.  Don't ask me... just briefly read the story.

Still, that's one of the reasons you should encrypt your address and sensitive communications with vendors: so that only the vendor can read it.  Which makes whether or not the site has been seized a moot point, IMHO.

Oh, I'm not trying to say DPR lacks integrity or anything, by the way; don't take it that way at all.  I mean it would be a lovely gesture if he rotted in jail the rest of his life just for us, but I think we can all agree that it would be a pretty silly thing to do and he should comply so he can get back to fighting the good fight before he's old and gray :)   (assuming he isn't already, naturally)


Come to think of it, I'm not sure the standard verification algorithms still hold up today... I know there were a couple of researchers in 2008 or 2010 who publicized a method of finding collisions in the real-world that allowed them to falsify message signatures.  I'm not a mathematician though, so I've totally forgotten the details.  But if they could do it with some PS3s, I don't see why the government and their monstrous resources and computing power couldn't do it better.
Title: Re: SR Owner Authenticated Messages
Post by: genius on October 31, 2012, 05:31 pm
You raise some good points, but your assumption that we are safe from the feds (or whatever you want to call them) in the event of a compromise isn't that as clear as you might think.

Lets say they got the server as it is now and were able to change it however they like. It would be easy to take some of the most popular sellers, and masquerade as them, putting up a new key, so even when we encrypt our address, little do we know we are encrypting it straight to them.
Yes that involves them changing the key, but for the majority of buyers, this won't raise enough suspicion for them to hold back.

You're right about the law in terms of withholding key information, at least depending on where in the world he lives. But in this field it seems to be common practice to store private keys in a volatile form that can be instantly destroyed in the event of suspicion. This way there really is nothing to hold back, and if done properly you now have proof that all secret information was destroyed. Of course you also keep a copy somewhere geographically far away in as random place as possible in case of false alarm. However perhaps DPR doesn't have such a system in which case yes, I wouldn't blame him for giving in.

You have brought to my attention some flaws that I didn't see before, but I still think it cant hurt to add some extra security.

I hadn't heard of the research you mention, but would be interested to see it. Actually, if that is the case, then I suppose it could hurt since we'd be relying on false security...
Ah well... maybe you're right  ;D