Silk Road forums
Discussion => Security => Topic started by: nullterminator on April 29, 2012, 03:36 pm
-
Hi all,
A very reputable vender couldn't decrypt my address (encrypted with their pub key using GPG). We tried several times. The person also said that my encrypted msg seemed way too small. I am 99.9% sure that I am using GPG correctly. I have only had one previous transaction, but it worked for the previous vendor, and I tested my procedure locally using my own pub/priv keys. This vender suggested I send it using http://privnote.com. This bothered me a bit, but I ended up doing that. Now I'm wondering if this could mean the vendor was somehow compromised. Or maybe there is some incompatibility between GnuPG versions? Any thoughts?
-
don't do that
resolve their pgp key issue if any, if they can't then stay the fuck away...
-
Ok, so at this point I sent my address via the privnote. What should I do? Should I cancel the order? If so, how to do that?
-
As a vendor, this has happened more than a handful of times. I don't know how people mess up the encrypting of their addresses, but no customer has complained about privnote before.
When it happens I say, please try again making sure they used my public key or use privnote. privnote usually is what most people use.
-
I think the fear is that the vendor's been compromised so they can't use the PGP key and are trying to get an address out of the buyer. I don't know how likely that is, but that is what I understand the worry to be.
-
Yes, that is exactly my concern. Although I'm probably just being paranoid.
-
This happened to me a few days ago (as a vendor). I got a dedicated TOR system and moved everything off my old system but forgot to get my private key before I destroyed my old drive... so here I am with orders pouring in using my old public key with no way to access it... I did send my new public key to the buyers who used the old one and I got most resolved but a few kept giving me problems. I am in no way against using privnote as it can be accessed via TOR so I don't know why people have such a problem with it.
A little paranoia is a good and necessary thing in this business but when the axe drops it is not the buyers who are going to be in the paper...
TJ
-
The compromising thing is not very likely because with access to the vendors account, one could easily swap the public key with its own.
-
There is nothing wrong with privnote.
The fact the vendor couldn't decrypt is weird though. I've had times when the buyer encrypted stuff to the wrong email, but I just told them that and they fixed it. If this isn't the case then I wouldn't deal with the vendor. Better safe than sorry.
-
davidd
I am not responding to your post as I don't have a problem with it per-se... what has me intrigued is when I looked up your SR page via the link on your post:
has been a member for 42 years
was last seen: 42 years ago
has 0% positive feedback
explain?
TJ
-
davidd
I am not responding to your post as I don't have a problem with it per-se... what has me intrigued is when I looked up your SR page via the link on your post:
has been a member for 42 years
was last seen: 42 years ago
has 0% positive feedback
explain?
TJ
Ah, I'm guessing because it was a link to the OLD sr domain name.
I didn't realize I needed to update it when they changed, so thanks for letting me know.
EDIT: See, fixed. I actually was wondering why it did that because I've clicked on other people's links and the same thing happened.
-
There is nothing wrong with privnote.
The fact the vendor couldn't decrypt is weird though. I've had times when the buyer encrypted stuff to the wrong email, but I just told them that and they fixed it. If this isn't the case then I wouldn't deal with the vendor. Better safe than sorry.
Yeah, I think the fact the vendor can't decrypt is pretty weird. I tried the public key on their profile twice. They also sent me their public key via message, and it was the same as the one listed in the profile. Tried it for the 3rd attempt anyway. I tried encrypting using the email from the public key twice, and once using their name from the public key.
The error this vendor is getting is supposedly "no encrypted data found". Anyone know what might cause that?
Another weird thing: The vendor said that my encrypted message looked too small (in size) by a third. This doesn't make sense to me because the successful one I sent to another vendor, and the ones I've tested locally using my own public/private keys, are exactly the same size. So I don't think the size should look wrong and makes me wonder why someone would say that.
It just feels fishy.
-
If you want to send me a test message, feel free:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2 (MingW32)
mQGiBE6nBQ4RBACMdtx+cMeirQSyWHtiO1pTxJqnY2vgBJMJy8P0i3wS6sh4Ql/4
1q3OR8fFTZbVD+fpP7wzjYlvbP6B5WHUvfmTOQedYbp3+NOrCTnxhO9HqsQDqThI
0LarIhTgaAXWGR/WUNEwQXvLWO3sf6D0Ib3oyM7iGfOm3VKcGicx6q9iZwCgw3dk
FMmPd7i97RpBqCTHXHsNQqMD/ReOxNONR/muQNVGA/EDsKFCH8FFe3Uo36hsmlfI
yhXeZdvEDc7yhc3mmAz+EBDSqIi3ANCMajJM614/tvabQ3yYH8kxlZrG5drUeK8e
mCv6x6lWlqeIXOfMNkoVQIW+ijzBE46EdMcm5nr3quxy+W3ObliVZnBTeAkXw7FA
84OAA/4uhHh641/tmWH/ksVEj5D9SMODaXYtEPCUK7zppfG9tNfI6kvhJSI1R05g
FrebGKTZZQ9+iHo0g6kGczSii2JCYGPcc83rrx1whHBYuGk+swxdDXkdbaDz/kQ5
RUsKwfBCS2OYvUZzWCMzHVSm2HzqKn0wd3QoKaCX8Cz6zw6UMLQnZGF2aWRkQHRv
cm1haWwubmV0IDxkYXZpZGRAdG9ybWFpbC5uZXQ+iFwEExECAB0FAk6nBQ4GCwkI
BwMCBBUCCAMEFgIDAQIeAQIXgAAKCRDkdotlbl/aowolAKC6cyvFQAVtlPNAW8B0
H9al9cNuegCXavSk97iYFehWnY2XRZDyPIs8j7kBDQROpwUQEAQAopygGdRUI7PZ
MGr5XsbDabkiP8vzhvxe6hPGZLpDfGYgNg+wncSc+9IoTvX84XZxt4f+2hGn9d3P
xWYffVJb8KjfiGr9FZmFmti3ZnZlbrizOpObZeefcyqBHTWjk1ziZHhKOEuyXfQi
SNAyMqo0RLl9aodxtXw12h8+Wd26iEcAAwUD/2Q3Udotwf2EH1IRC+ZOspY6FZ7m
PHlNoaC/IhwYcOpXU7eDDhjRaK67SawHviYqYNxpcppmHD0mF8Ild+/VxYhnogsK
tYPTBP0n142HI21J1DT2fUV1zqxtJsDPx54S6ty2isKT2TdhswIoDMWKA/L4sXDW
NN/8JiLTE9O9zfv5iEYEGBECAAYFAk6nBRAACgkQ5HaLZW5f2qPLUQCdGsZPGTpz
kKCL2nzn7sBEdB474moAoI87c4fZIK1//pHh1cJy+/haWSnE
=Is+D
-----END PGP PUBLIC KEY BLOCK-----
-
The error this vendor is getting is supposedly "no encrypted data found". Anyone know what might cause that?
I've gotten this problem before, too. As a buyer I would send my address encrypted and sellers would get this error. I have no idea what the cause of this is, as some vendors were able to decrypt, but I wasn't able to myself using a dummy key. Try using a new key.