Nucleus PGP Feature? Risk of Exposure? WTF??

Long time buyer on many DNM. I buy only for personal consumption. I use an anonymously purchased VPN proxy service, the Tor bundle for Windows, a mixing service, and GPG\Kleopatra.

I was an Evo refugee who fled to Nucleus after disaster struck. Due to that experience, I have also done business direct via email with a few vendors after getting to know them over the normal course of business.

Recently I began doing some supplemental transactions with a small time vendor on Nucleus. Instead of email, we used the messaging feature on the site for these transactions. For example, I might upgrade postage or take the,"...last one of the batch."

I would use the vendor's published pubkey and my GPG/Kleopatra client/keypair to encrypt all communications.

All is good...right? Well, I don't know...

I had noticed that there was a "PGP" check box on the Nucleus message app. I never paid attention to it as I was using my own encryption.

When Nucleus went down, this vendor emailed me but could no longer decrypt my messages nor could I decrypt his. He made a comment about being bummed because the PGP on Nucleus had helped him as he, "wasn't good with PGP." (?!?!)

What the fuck?

Did Nucleus have some kind of site provided/distributed key pairs/app embedded in their messaging system that this vendor was using?

Does this potentially expose all communications sent with that feature to anyone who has access to the backend DB/system, even though my private key was NEVER uploaded on to Nucleus?

I will gladly accept the ridicule if this is an incredibly stupid question since I was always in possession of my private key.


Comments


[2 Points] Jay-__:

I don't really get the question here.

I think Nucleus is auto-encrypting messages with the provided keys when you had the 'PGP?'-option checked.

Yes, there is no way to prove if they didn't save them as plaintext before encrypting - in case that's what you were asking.


[2 Points] Axaq:

On site encryption uses the recipients stored public key to encrypt the message for you, arguably you shouldn't use this and encrypt messages yourself because the market could store the plaintext messages too if they wanted to and you'd never know. Law Enforcement could also take over the site and do this so that they can receive unencrypted messages without anyone being aware.

Not entirely sure of your question as your post was confusing, but they don't store private keys so he would have had to decrypt your messages himself outside of the site, the issue you are seeing is the email service isn't formatting the PGP messages properly when you send them so they are malformed meaning they can't be decrypted unless you manually format their spacing and new lines.


[1 Points] hdheuud:

Your vendor was a dumbass who typed plain text into Nucleus and let then encrypt it for him. So, worst case scenario, everything HE typed is stored for blackmail purposes