Silk Road forums
Discussion => Security => Topic started by: ixor568 on June 02, 2012, 03:08 pm
-
So I've noticed some vendors have started using this over PGP encryption; I wanted to get the communities thoughts on this and is this a safe alternative or should I just avoid any vendors using Privnote?
Thanks ;)
-
I think pgp should be the standard, and I dont like privnote. The only problem is some vendors dont use pgp, so if you want to put in an order you have to use privnote or send your address unencrypted. Kinda shitty, but i make exceptions for certain vendors.
I look at it this way, if the vendor is shady and possible LE collecting addresses, he could just as easily set up pgp and accept orders using it. Also if this were the case, that pgp encryption could possibly be used against you because its proof that you were the one who put in the order as only you would have the code to decrypt messages sent back to you. Theres no deniability that is isnt you if you are communicating with pgp and they are watching you. Anyone can send a privnote with you address and that could be something that saves you in the long run.
I dont know i guess thats just how i justify sending my address with privnote, Its really nowhere near as secure as pgp, and i wish all vendors were required to use pgp, but its the nature of the beast so it really comes down to if you as the buyer are willing to take the risk.
-
as a vendor I use it as a LAST RESORT I will contact the buyer 3 times about the PGP encryption not reading properly and then I will ask them to use privnote & I only open the link in SR or the forums just for security purpose
-
as a vendor I use it as a LAST RESORT I will contact the buyer 3 times about the PGP encryption not reading properly and then I will ask them to use privnote & I only open the link in SR or the forums just for security purpose
I do use Privnote to provide mailing addresses to clients as to where to send their cash. This is to protect the identity of my associates and because not all new buyers have quite mastered GPG.
It is possible to view the IP address of someone who has clicked on your Privnote so I'd suggest only accessing it from Tor.
Of course if we had a Tor hidden service which emulated Privnote I don't think this would be as much of a worry - perhaps I'm wrong and there is one?
V.
-
SILK ROAD GENERAL WARNING: Privnote Is Not A Safe Alternative To GPG. Use Of Privnote May Cause Incarceration. Quitting Privnote'ing Now Greatly Reduces Serious Risks To Your Freedom.
-
why even bother to use privnote it is just one more place where shit can be intercepted you might as well just send plaintext over SR
-
why even bother to use privnote it is just one more place where shit can be intercepted you might as well just send plaintext over SR
In my own case the worry would be that if a less experienced user were to store a copy of the address where the cash should be sent on their computer and then were to be caught having anything illegal delivered to their home, the identity of my associates would be revealed.
I should stress I don't recommend this as a general policy of course - in an ideal world we would all use GPG in our e-mails and this wouldn't even be an issue! Anyone who needs help with getting set up on GPG please feel free to ask!
V.
-
The identity of your associate is almost certainly already known if he lets random people from SR send him cash in the mail for bitcoins
-
The identity of your associate is almost certainly already known if he lets random people from SR send him cash in the mail for bitcoins
If an LEO stooge were to be sent a message with the mailing address they would have to click the link within it to display the name and address of my associate. However after that they'd only have the stooge's word for it that the Privnote contained his particular name and address as it's being deleted after being viewed (or so we are told! :-D ). Examining the problem from the other end i.e submitting my associate's name and address to Privnote on its own also gives LEO nothing as anyone could have written his address there, including himself for any reason.
Sending a plaintext address over SR may be more secure theoretically but ensuring that people only view the address when the envelope is sent reduces the chance my customers will store it on their machines by saving an e-mail or message to their hard drives. Of course this isn't a problem if you use full disk encryption but we've already discussed that is by no means a guarantee of safety!
I wouldn't recommend people use it over Tormail + GPG generally but it suits my particular needs when dealing with newer clients. I don't understand why some vendors don't use GPG though, surely it's something that's covered in the Seller's Guide?
V.