Silk Road forums
Support => Feature requests => Topic started by: dempills on November 10, 2012, 04:22 pm
-
Automatic PGP encryption using stored vendor public keys would be nice; all that would have to be assured is that the server destroys the record of the unecrypted copy (on the server at least) of the user address.
-
I'm not sure if you have heard of Bitwasp? It is an opensource silk road clone which is designed to lower the barrier of entry for people to setup and use an online Tor/Bitwasp marketplace like the Silk Road. Its my open that although the silk road is great for what it has achieved as an experiment, the system is far to centralized and if the silkroad went down for good today its would take time to get the community back.
Anyways, to answer your question, Bitwasp already has on-the-fly PGP encryption of messages built in. If the user has javascript enable and are sending a message to a seller with a PGP key in their profile, their message will be encrypted automatically before it leaves the browsers. The server never sees or is able to store any plaintext messages. Its my opinion that sites like the Silk road should be accessible for everyone as it is the quickest way to make the war on drugs almost nonexistant.
Bitwasp also has some other interesting features such as 2-step authentication using PGP. A user can store their public key in their profile, then on signing in a token is generated and encrypted with the user's public key. The must decrypt this message with their private key and enter the token to login. It makes phishing useless!
Bitwasp currently needs some more developers to get it finished off and get bitcoin/escrow integration finished and tested, I see an open source distributed system as the way forward. If there are any interested developers here please post on the github project and feel free to submit pull requests for any features you add.
dsynth
-
I've actually forked the git repo for bitwasp, but I haven't had a chance to examine the code yet.
The problem with using javascript for crypto on Tor is that 99% people don't have it enabled (and honestly, for good reason) :(
The 2-step authentication is an interesting idea, it's definitely something that SR could very easily implement given the current PIN number system.
The problem with alternatives is trust; for example if you keep track of alt crypto-currencies most of them end up as pyramid schemes with the creators starting off with immense amounts of pre-mined coins. From this, people now refuse to even pick up the currencies.
My question is, would it be practical and/or suitable to have some sort of mechanism for preventing operators from taking the escrow and running?
-
I feel the more features such as auto-PGP-messaging would weaken SR by requiring additional processes and features to be constantly ran on servers that are already overwhelmed. I suspect there are many users that change their PGP key over time (also with different passwords) while keeping the same SR username, which would only complicate SR-PGPkey linking definitions.
IMHO, SR is doing well in this respect by keeping communication simple (text only) among users and leaving it up to end users to adapt their own preferences of security.
-
Automatic PGP encryption using stored vendor public keys would be nice; all that would have to be assured is that the server destroys the record of the unecrypted copy (on the server at least) of the user address.
Bad idea. Makes people less security aware. And the security awareness on SR isn't at a level that should be lowered even further. If you can't handle simple PGP encryption then buy/sell your stuff on a street corner. Enforcing people to have some minimum security knowledge is a good thing. Take that away and people won't give a single fuck about security anymore.
-
Mmm, unsafe security ideas... delicious.
-
Automatic PGP encryption using stored vendor public keys would be nice; all that would have to be assured is that the server destroys the record of the unecrypted copy (on the server at least) of the user address.
Bad idea. Makes people less security aware. And the security awareness on SR isn't at a level that should be lowered even further. If you can't handle simple PGP encryption then buy/sell your stuff on a street corner. Enforcing people to have some minimum security knowledge is a good thing. Take that away and people won't give a single fuck about security anymore.
Exactly right, people need to be aware of, and take responsibility, for their own security. That means securing and managing pgp keys and messages yourself & not relying on some faceless server.