Silk Road forums

Support => Feature requests => Topic started by: 47926 on November 16, 2011, 12:32 pm

Title: Integrated Javascript PGP
Post by: 47926 on November 16, 2011, 12:32 pm

I usually use this service for encrypting my messages to sellers: http://www.hanewin.net/encrypt/PGcrypt.htm

It's open source, so if it were integrated into SR and sellers were given the option to add their public key to their profile, the checkout stage could pull the key and offer a one click "Encrypt" button before checking out.

It's not something that especially bothers me, but when you consider how many people are struggling to get hold of Bitcoins for their transactions, there's probably a lot of people who are completely perplexed by PGP and don't bother encrypting their comms at all - this would (hopefully) help keep people more secure.

Title: Re: Integrated Javascript PGP
Post by: Variety Jones on November 16, 2011, 10:27 pm

Thing is, no one in their right mind ever allows scripts while visiting an .onion site. Too easy for a bit of innocuous looking javascript to obtain, obfuscate, and send off your IP address. Sure, we trust SR, but most javascript exploits are injected without the knowledge of the site operator hosting the exploit.

Why even think of trusting something that's important enough to encrypt, to an unknown parties javascript encryption routine? How do you know they don't keep a copy? Because they say so? Do you audit the javascript code EVERY time you use it to make sure it hasn't been maliciously modified?

Honestly, agreeing something is important enough to use PGP, and then using a 3rd party web-based function to encrypt it with seems kind of, well, not very secure at all.

I've got PGP Desktop installed in windows, and it's a breeze. Highlight and right click a public key, and click import. Highlight text and press [ctrl][alt][d] to decrypt it, or [ctrl][alt][e] to encrypt and replace it. To decrypt or encrypt data in the clipboard, same keystrokes but press [shift] as well. Enterprise level key management and functionality, and a simple as shit program to customize and master. I run open source GPG on my Ubuntu laptop, and it's not a whole lot behind the PGP Desktop program in terms of ease of use and functionality.

Using a web-based encryption routine is akin to sending a postcard by courier to the envelope store to have them put it in an envelope for you. Just because it arrives at its destination in that envelope, doesn't mean someone didn't read it or copy it before they put it in the envelope for you.

Man, I smoke a little weed, and I sure come up with some crappy analogies. :8)