Silk Road forums

Discussion => Newbie discussion => Topic started by: all i want is truth on August 18, 2013, 08:06 am

Title: Question for astor about his pgp tutorial
Post by: all i want is truth on August 18, 2013, 08:06 am
first of all thank you astor for posting you pgp tutorial. here it is if anyone is looking for it

http://nfm5tbykjg6oijbm.onion/gpg4usb/

 ive just started pgp and from what ive read on the forums you are god when it comes to pgp.
i have one question (for now that is :)), in you tutorial you provide a link to download GPG4USB, is this link safe to download through tor or should i download it through firefox? i read somewhere that you should not download anything through tor? thank you in advance

peace and gratitude
Title: Re: Question for astor about his pgp tutorial
Post by: dotgoat on August 18, 2013, 08:15 am
Personally I'd just download it through a non-tor web browser.  gpg4usb is pretty popular especially since the wiretapping news has come out and even people don't even know what tor is are downloading it.  So grabbing that isn't going to really give away why you're using it.

Downloading stuff through tor is typically fine so long as you trust the source of the file.  (puts on tinfoil hat) it's easy to tell that you are coming from a tor exit note (there's a public list of tor exit node IPs out there) and someone being mischievous could then give you a special gpg4usb that the first thing it does it install a virus or something.  Now is that possible? yes. Is it being done right now? don't know.  Again I'd just download it without tor.  If you do use tor I would recommend switching your identity before hand just to make things a little less trackable.
Title: Re: Question for astor about his pgp tutorial
Post by: all i want is truth on August 18, 2013, 09:55 am
thank you dotgoat, i appreciate your informative responce.
Title: Re: Question for astor about his pgp tutorial
Post by: SelfSovereignty on August 18, 2013, 10:27 am
If you aren't connecting to a site through SSL, as dotgoat says, it's entirely possible for all the data you receive and see in your web browser to be tampered with.  I think he downplays the risk though -- without SSL, it's trivially easy to do: it would take all of 15 minutes for someone to write a script that selectively replaced downloads with malicious installers that included the original download link's data so that you'd never even notice.

Well, 15 minutes may be an understatement... more like an hour or two I suppose.  Not including the malicious addition to your download, of course.  Also, the Tor browser automatically uses SSL if it's available -- but whether it's available at a given site for a given program I can't comment on.