Silk Road forums

Discussion => Security => Topic started by: goblin on April 02, 2012, 07:39 pm

Title: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: goblin on April 02, 2012, 07:39 pm
I've been wracking my brain (and yes, it hurts just like Michael Palin's) trying to come up with a solution for people who are either not willing or just can't seem to learn PGP in order to encrypt their orders (name, address).

The only standby solution I came up with is for them to write "email" in the address box in the shopping cart page and then send email to a tormail account I have. (Of course it could be any other secure non-javascript email service.) I would see the order and immediately go to tormail and read the customer's information, copy it and immediately delete it.

No one has done this yet in an order. I have cancelled several orders of people who just wrote their name and address as is, and I sent them a courteous message asking them to either implement PGP or do that tormail thing.

It's a pain in the rear to have to jump through hoops for people who either don't know, don't care, or simply are too lazy to take their security (and that of their vendors) seriously.

I found a couple of places that *seem* to be alternate solutions, websites that offer instant encryption, such http://infoencrypt.com/ or http://www.encrypt-easy.com/encrypt-text.aspx, but I just don't know enough to judge whether they'd be any safer than to write their address non-encrypted in the cart page.

If any of you veterans out there who are light-years ahead of me in this department would comment on this, I think it would help all vendors, and potential customers who might be reading this too.

goblin
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: Laughing Man on April 02, 2012, 07:46 pm
I don't see why you care really, it's only their security at risk. Anyway, I would suggest using privacybox (http://c4wcxidkfhvmzhw6.onion/). Once you make an account there, you can give them your public key and when people submit a message to you through their site it's automatically encrypted with your public key. You can then check the messages via their site or have them automatically forwarded to your email address.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: darthvaderstar on April 02, 2012, 08:12 pm
Looking at it all can be over whelming but when i just did it step by step.. it's actually pretty easy.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: QTC on April 02, 2012, 08:15 pm
I found a couple of places that *seem* to be alternate solutions, websites that offer instant encryption, such http://infoencrypt.com/ or http://www.encrypt-easy.com/encrypt-text.aspx, but I just don't know enough to judge whether they'd be any safer than to write their address non-encrypted in the cart page.
These things are just toys, there is no substitute for gpg. But I gotta agree, if your customers don't care about their security why should you force them to? It doesn't make any really make any difference to your opsec.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: goblin on April 02, 2012, 08:31 pm
I don't see why you care really, it's only their security at risk. Anyway, I would suggest using privacybox (http://c4wcxidkfhvmzhw6.onion/). Once you make an account there, you can give them your public key and when people submit a message to you through their site it's automatically encrypted with your public key. You can then check the messages via their site or have them automatically forwarded to your email address.

Thanks for your suggestion, but I had already seen this site and they aren't accepting new accounts.

You are all saying that it is their security alone that they put at risk. I'm not sure that is exactly the case. I have read opinions that go either way. More input from others would be helpful.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: DropGuy751 on April 02, 2012, 08:34 pm
PortablePGP seems to be the best solution for newbies.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: Laughing Man on April 02, 2012, 08:35 pm
I don't see why you care really, it's only their security at risk. Anyway, I would suggest using privacybox (http://c4wcxidkfhvmzhw6.onion/). Once you make an account there, you can give them your public key and when people submit a message to you through their site it's automatically encrypted with your public key. You can then check the messages via their site or have them automatically forwarded to your email address.

Thanks for your suggestion, but I had already seen this site and they aren't accepting new accounts.

You are all saying that it is their security alone that they put at risk. I'm not sure that is exactly the case. I have read opinions that go either way. More input from others would be helpful.
How does them not encrypting their address make you vulnerable? It doesn't. Only them.
Title: Re: Non-encrypted orders - looking for a solution - "My brain hurts!"
Post by: Regional1 on April 02, 2012, 09:39 pm
I'm inclined to agree with the op on bad security compromising buyer and seller.  While certainly no expert, I can certainly think of ways non-secured addresses could lead to bad things for all involved.  Granted, it depends on how bad someone wants to get a particular vendor, but a non-encrypted addy is one step down a road that I wouldn't want to go were I a vendor.  I am NOT a vendor, but if I were I would NEVER send to an unencrypted address.

Besides, if a vendor can afford to be a little picky, then he should encourage people to learn about security for themselves.  It's no good to have all your customers under investigation.  I mean, is it?  ???