[General Question] Is Black Banks auto pgp a bad thing?

I was just browsing around and found post on https://dnstats.net/market/BlackBank

Anybody care to weigh in? I'm no expert so this guy could be full of shit, sound legit though.

Expert on algorytmics with 10+ years of professional experience said last 11th May, 2015 at 0:55 (8 Day(s) ago)

The comment below just made me aware that BlackBank provides AutoPGP feature. They are fucked because of encouraging people to use it - here goes my math proof (using simple logic): Case 1) Using only AutoPGP (without PGP on your local machine) - when you send for example your email address (which is plain text in this case) then BlackBank is able to read it (maybe event store it). So if the market is overtaken by LE then all your data is compromised - you know the implications. Case 2) Using local PGP + AutoPGP - after these operations you will have an encoded message protected by the 2048 or 4096 RSA. There is not much info about exact implementation of AutoPGP feature in BB but I guess they are using very same PGP public key which you use locally (ie public key of the vendor) so encryption key remains unchanged therefore there is no extra security added here. Even if they use some other key (I really doubt it) then key size will be double for example 2*4096 bytes what is also useless as nowadays 2048 bytes is sufficient for most purposes - going over 4096 bytes is pointless. It's really bad - it gives people a false sense of security and doesn't help in any case as described above. What was author trying to accomplish by introducing that shit? Is he just so lame and dumb? IMHO I doubt it as he's maintaining one of the biggest darknet markets but who knows... So please people watch out! PGP makes sense only on your secure, private machine.


Comments


[6 Points] Trappy_Pandora:

AutoPGP should never be trusted.


[2 Points] MLP_is_my_OPSEC:

2048 bytes will be fine until ~2030, so they're correct in that aspect. But you're far better off using 4096, since it's extra security and really doesn't take long to create. Though there is a point where as key size increased, the returns diminish. But this wont be a problem for quite some time yet.

But yes, AutoPGP is an incredibly stupid feature and gives buyers a false sense of security since you have no idea what's happening on the back-end without being able to see the source code.


[1 Points] None:

Nothing wrong with Auto PGP.
It should be mentioned, however, that it is not to be relied on.
It's only to cover mistakes and lazy people.
Kiss has this feature as well. It can only protect the sender if the recipient has the option activated.
It's always recommended you encrpyt it yourself, but having the option active is a good safety net.