Silk Road forums
Support => Feature requests => Topic started by: StExo on May 13, 2013, 12:04 pm
-
So I think I have mentioned this before - but even the best of us can fall apart on security by accidentally entering our password on some dodgy phishing site. I did not too long ago but immediately realised my mistake and changed my password before any damage was done.
Anyway, I was thinking as an optional feature to incorporate a challenge-response security check. Sure it uses an extra second seconds of server power, bandwidth and our time but as I said, it's optional for those of us who loads our account with thousands of dollars a week or vendors who may have large amounts of bitcoins stored.
So how would this work? Simply add a box where a user can paste their public PGP key and the SR server will save this. Now, when you log in using your username and password, you will be taken to a 2nd screen whereby a random 16 character string will be encrypted with your public key and the SilkRoad key. All you have to do is open your PGP and decrypt this string then paste it into the box provided to complete the security check - just like when online banking asks for security answers or additional checks but of course only you have your PGP. In some ways this means I could freely hand out my password and I wouldn't be at that great a risk (not that I plan on doing so but you see my point).
Again I reiterate, this is an opt-in feature where those of us who are very paranoid will take advantage of it and those who don't have PGP established or feel this is a waste of time are in no way obliged to use it.
-
Since I'm on the roll today - "Don't be dumb".
Carefully check the web address, verify any GPG signed messages and ask in the forums if something changes unexpectedly.
I do like your idea though since it will weed out people who don't want to use GPG.
-
Since I'm on the roll today - "Don't be dumb".
Carefully check the web address, verify any GPG signed messages and ask in the forums if something changes unexpectedly.
I do like your idea though since it will weed out people who don't want to use GPG.
That's the thing, I almost always do, 99% of the time I click the SilkRoad address in my browser as I have SilkRoad bookmarked as well as the forums but this time I by chance just clicked that without thinking and with the random session ending recently, having to log in again didn't arouse suspicions. The only reason I realised something was up is because my account balance was 0 upon "login" when in fact I have over $1,200 in it waiting to make an order. But if I hadn't realised it could have ended badly. Plus in the event there is a keylogger on somebody's computer, I do imagine it'd help.
As for it encouraging people to use PGP, I'd definitely be for that, making it compulsory for vendors because it's shameful that some vendors aren't capable of using it. I went around recently and message around 20 different vendors about their public keys being either terribly weak or the program they are using it flawed and all but 1 have changed their keys and program, some have messaged me back with a message of thanks even as it was easier to use than their previous ones.