Silk Road forums

Discussion => Security => Topic started by: Damod78 on February 07, 2012, 03:53 pm

Title: SR PM's
Post by: Damod78 on February 07, 2012, 03:53 pm
"All customers must use PGP. Any communications not in PGP will be ignored. My key is at the bottom of the page. If you order and then send your address unencrypted I will cancel your order and return your money."

Just saw this on a vendors page and was wondering if sending messages through SR is encrypted?  Or does the vendor only want e-mails with PGP?

Vendor is Obamagirl, want to order some small orders from her.  Seems on the up and up with good prices.
Title: Re: SR PM's
Post by: OldGuard on February 07, 2012, 05:55 pm
Sr does NOT encrypt messages which is why the vendor wants you to use PGP while ordering and sending PM's.
Title: Re: SR PM's
Post by: aciddeath on February 07, 2012, 06:12 pm
You can send a message on SR after your order is complete completely encrypted with pgp
You use the program Kleopatra that's bundled in the pgp4win package to encrypt the contents of a file or your clipboard with the public key of the vendor. The clipboard (or output file) then gives you something like

-----BEGIN PGP MESSAGE-----
Version: GnuPG v2.0.17 (totalinsanitycryptowarlordhelldemonedition)
hQEMdfdfdfsd2f2ef2efef2je0fij2e0ifjej13j0fi130
2efej20f2je0fij2e0ifjej13j0fi130fjiej
-----END PGP MESSAGE-----

Then the vendor can decrypt it with their private key only
And you can delete your message from SR sent box

Title: Re: SR PM's
Post by: Damod78 on February 07, 2012, 07:16 pm
Sr does NOT encrypt messages which is why the vendor wants you to use PGP while ordering and sending PM's.

just found this after a while...

"Absolutely none of your personal information is ever required here. However, an address WILL be needed to accept delivery of any physical goods. Even so, it is stored encrypted, and is deleted as soon as your transaction is complete, so there is no record of it."

If this is true then why are vendors insisting on getting the address sent to them via encrypted mail?  If it's just a vendors extra security measure that's cool but is the SR address field really encrypted?
Title: Re: SR PM's
Post by: wxevkexi on February 07, 2012, 07:29 pm
Sr does NOT encrypt messages which is why the vendor wants you to use PGP while ordering and sending PM's.

just found this after a while...

"Absolutely none of your personal information is ever required here. However, an address WILL be needed to accept delivery of any physical goods. Even so, it is stored encrypted, and is deleted as soon as your transaction is complete, so there is no record of it."

If this is true then why are vendors insisting on getting the address sent to them via encrypted mail?  If it's just a vendors extra security measure that's cool but is the SR address field really encrypted?

This is because even though the addresses are stored encrypted, they get transmitted from your browser to the SR servers over TOR unencrypted. The problem is not that they can be intercepted, because the connection is SSL. But when they hit the SR servers first, they are plain text. So, theoretically, someone in SR can see them. But if you encrypt the address before pasting it in the web form, even SR can't see the address. Only one who can see it is the vendor. SR will then encrypt the already encrypted version, and store that (well, only till the vendor retrieves it).

So, encryption is encouraged for that extra measure of security for the user. What it does is close that small window where the plain text address is available to SR before it encrypts it.
Title: Re: SR PM's
Post by: QTC on February 07, 2012, 08:18 pm
SR is responsible for their own security, not yours, and you cannot trust any other systems anyway. Peeps who aren't naive know this and take their own security into their own hands and use PGP. SR will not protect you.
Title: Re: SR PM's
Post by: jimvisa on February 07, 2012, 09:30 pm
if SR were compromised all bets on the safety of your address are off, dunno how well implemented the encryption is, even if it's really solid, so what? there are plenty of potential vectors for getting at our addresses.
PGP means that nobody but the vendor can see your address no matter how much they want to (provided the vendor isn't compromised, but they were going to have to see it anyways)

why take unnecessary chances
Title: Re: SR PM's
Post by: Aldous.Huxley on February 25, 2012, 01:57 am
Sr does NOT encrypt messages which is why the vendor wants you to use PGP while ordering and sending PM's.

just found this after a while...

"Absolutely none of your personal information is ever required here. However, an address WILL be needed to accept delivery of any physical goods. Even so, it is stored encrypted, and is deleted as soon as your transaction is complete, so there is no record of it."

If this is true then why are vendors insisting on getting the address sent to them via encrypted mail?  If it's just a vendors extra security measure that's cool but is the SR address field really encrypted?

This is because even though the addresses are stored encrypted, they get transmitted from your browser to the SR servers over TOR unencrypted. The problem is not that they can be intercepted, because the connection is SSL. But when they hit the SR servers first, they are plain text. So, theoretically, someone in SR can see them. But if you encrypt the address before pasting it in the web form, even SR can't see the address. Only one who can see it is the vendor. SR will then encrypt the already encrypted version, and store that (well, only till the vendor retrieves it).

So, encryption is encouraged for that extra measure of security for the user. What it does is close that small window where the plain text address is available to SR before it encrypts it.

Thanks, was wondering about this. Seems an important extra step that gets to be a little overlooked by buyers.
Title: Re: SR PM's
Post by: Laughing Man on February 25, 2012, 02:03 am
Sr does NOT encrypt messages which is why the vendor wants you to use PGP while ordering and sending PM's.

just found this after a while...

"Absolutely none of your personal information is ever required here. However, an address WILL be needed to accept delivery of any physical goods. Even so, it is stored encrypted, and is deleted as soon as your transaction is complete, so there is no record of it."

If this is true then why are vendors insisting on getting the address sent to them via encrypted mail?  If it's just a vendors extra security measure that's cool but is the SR address field really encrypted?

This is because even though the addresses are stored encrypted, they get transmitted from your browser to the SR servers over TOR unencrypted. The problem is not that they can be intercepted, because the connection is SSL. But when they hit the SR servers first, they are plain text. So, theoretically, someone in SR can see them. But if you encrypt the address before pasting it in the web form, even SR can't see the address. Only one who can see it is the vendor. SR will then encrypt the already encrypted version, and store that (well, only till the vendor retrieves it).

So, encryption is encouraged for that extra measure of security for the user. What it does is close that small window where the plain text address is available to SR before it encrypts it.
Actually, the address is encrypted all the way to SR's server. The point of using GPG is simply for if SR was ever compromised the buyers' addresses wouldn't be revealed.
Title: Re: SR PM's
Post by: Spedly on February 25, 2012, 02:07 am
Cryptography does more than provide confidentiality. It also provides integrity and authenticity, the latter being very important on a site like Silk Road.
Title: Re: SR PM's
Post by: sourman on February 27, 2012, 01:05 pm
Not to hijack this thread or anything, but does anyone see a problem with using PGP desktop or PGP portable instead of GPG? I really don't feel like using command line tools to encrypt "my address" since all I plan on ordering is small amounts of bud. If quicker, more forgivable implementations of PGP are OK, I have no reason not to use it.
Title: Re: SR PM's
Post by: QTC on February 27, 2012, 03:22 pm
Not to hijack this thread or anything, but does anyone see a problem with using PGP desktop or PGP portable instead of GPG? I really don't feel like using command line tools to encrypt "my address" since all I plan on ordering is small amounts of bud. If quicker, more forgivable implementations of PGP are OK, I have no reason not to use it.
They're all openpgp implementations so it doesn't make a difference.
Title: Re: SR PM's
Post by: sourman on February 27, 2012, 03:26 pm
Ahh OK thanks. I thought for some reason that PGP desktop being commercial, closed source software made it unpopular or somehow shunned. PGP portable is a java based solution which is open source IIRC. It seems outdated, but it does the job. As long as there aren't any security-related bugs in it, that would be probably be my PGP of choice.