Silk Road forums

Discussion => Security => Topic started by: IamaLizard on May 06, 2012, 01:35 am

Title: When to use PGP?
Post by: IamaLizard on May 06, 2012, 01:35 am
I noticed after clicking to buy a product there is a field for my address/etc. Is this field auto encrypted or do I encrypt my info with their public key and then paste it? Thanks
Title: Re: When to use PGP?
Post by: Prawl42 on May 06, 2012, 01:57 am
Hey yeah encrypt your address with the public key on there vendor page, then paste it in, you can also use this for messages over SR but this is up to you.
Title: Re: When to use PGP?
Post by: Appa on May 06, 2012, 02:45 am
Is this field auto encrypted or do I encrypt my info with their public key and then paste it?

Both!  SR encrypts your address for you, but most of us tend to agree that encrypting it further with the vendor's public key is the best bet.  It only takes seconds, and you ensure that the vendor (or anyone with his private key...) is definitely the only one who can read it.
Title: Re: When to use PGP?
Post by: wretched on May 06, 2012, 04:57 am
Silk Road does not encrypt your address for you. they store it on a mounted encrypted volume, so if the server were compromised, your address would be viewable in plaintext unless you encrypt it yourself. Even if Silk Road did encrypt it for you, don't you want to take control of your own security instead of relying on an anonymous hidden service admin?
Title: Re: When to use PGP?
Post by: simplyanon on May 06, 2012, 05:25 am
how do you know this

I'ma take a guess and say....he doesn't.


Also, OP, some vendors require you to PGP everything from 'Hi I fucked your mom.' to '-insert address here-'. Some only require it for your address. Some don't even require that. If you're paranoid, encrypt everything. If you're like me and don't give a fuck, only encrypt your address. :P
Title: Re: When to use PGP?
Post by: wretched on May 06, 2012, 05:44 am
I guess I don't know it as fact, but it was discussed at length on the old forum. they also claim to delete addresses as soon as orders are put in transit, but during one recent change, lots of "deleted" PMs, and transaction histories suddenly returned.  I guess my point is that you should take your own encryption into your own hands, and not count on anyone else doing it for you
Title: Re: When to use PGP?
Post by: Appa on May 06, 2012, 07:00 am
I guess my point is that you should take your own encryption into your own hands, and not count on anyone else doing it for you

Exactly.  Even if SR's encryption was considered foolproof, there's no reason to avoid the added security of PGP, redundant or not.  It takes me literally 2 seconds to encrypt a message if I already have the vendor's public key saved.
Title: Re: When to use PGP?
Post by: hatedpatriot on May 06, 2012, 08:48 am
Regardless of the competence of SR's encryption, you wanna use your own anyway. This just ensures that you aren't using encryption that appears to be encryption, but really is nothing more than a backdoored imposter.

It is for this same reason that you should only use encryption software that is open source.
Title: Re: When to use PGP?
Post by: kmfkewm on May 06, 2012, 09:31 am
he knows this because SR claims to have fully server side encryption of addresses and essentially the only way to do this is to store everything on a mounted encrypted drive

What this means is that SR server securely encrypts addresses only when the power to their server is cut or the drive is unmounted , because the keys must be stored in RAM so data can be dynamically decrypted/encrypted

What this means is that if the attacker locates the server while it is still running, or wait for it to start running again, they can get the keys by cold booting the RAM into a forensics laptop

It also means that if the server is rooted the attacker gains full access to encryption keys

It also means that DPR can decrypt whatever he wants

if you use GPG none of these issues are present.

SR could be using chasis intrusion detection technology and have the RAM secured with encapsulation material, that would make the physical attack harder but not impossible, but I doubt he is doing this because it would mean he almost certainly would have shipped the server to a colocation facility after configuring it himself
Title: Re: When to use PGP?
Post by: RootZero on May 06, 2012, 12:27 pm
Does this also apply when sending a message, for example a question to a vendor?
Title: Re: When to use PGP?
Post by: hatedpatriot on May 06, 2012, 12:41 pm
It's entirely up to you what you consider sensitive.
Title: Re: When to use PGP?
Post by: RootZero on May 06, 2012, 01:14 pm
I'm not sure here but isn't it the nature of tor itself that 'rogue' outgoing nodes can intercept unencrypted traffic passing through them. So in theory, could read your address. Because when you submit a form on SR it passes through the network unencrypted between you and the server?
Title: Re: When to use PGP?
Post by: Appa on May 06, 2012, 10:31 pm
what I was trying to get at was that none of us know for sure how the server is set up. SR claiming that there's server side encryption of data doesn't really make it so.

This is very true.  Just claiming something doesn't make it so.  We all respect SR and trust it to an extent, but this whole thing is anonymous and carries great risk.  We must all take our security into our own hands.

I'm not sure here but isn't it the nature of tor itself that 'rogue' outgoing nodes can intercept unencrypted traffic passing through them. So in theory, could read your address. Because when you submit a form on SR it passes through the network unencrypted between you and the server?

I honestly don't know enough about the workings of Tor, but I was under the impression that all data going through the network was encrypted, and that your personal computer or network would have to be compromised for it to be accessed.  However, as discussed above, you may as well pretend that Tor encrypts nothing, and always take extra measures to secure your private information.
Title: Re: When to use PGP?
Post by: kmfkewm on May 07, 2012, 08:30 am
With hidden services Tor encrypts data up to, but not including, the time that it has already arrived to the server. With non-hidden services, Tor encrypts data up to the point just prior to it arriving at the server, the exit node decrypts the final layer to reveal the plaintext. This means that exit nodes can spy on plaintext data sent through Tor to the normal internet.
Title: Re: When to use PGP?
Post by: RootZero on May 07, 2012, 10:08 am
Not quite getting my head round the tor system fully, but think I'll take your advice and use PGP always. Think I finally got my head round the basics last night after really careful studying of the pinned tutorial. Still not sure about signing yet, but I'm sure that will be another adventure!

So are .onion address' a server somewhere that acts as an exit node to itself? So therefore unless someone was physically able to monitor the server itself they wouldn't be able to see the plaintext?
Title: Re: When to use PGP?
Post by: QTC on May 07, 2012, 02:04 pm
So are .onion address' a server somewhere that acts as an exit node to itself? So therefore unless someone was physically able to monitor the server itself they wouldn't be able to see the plaintext?
Eh you're off from a tech standpoint but your conclusions are right. Always use PGP since you can't trust any other party besides yourself, this applies to SR's servers too.