Silk Road forums

Support => Feature requests => Topic started by: kybzmsrf on August 14, 2013, 09:04 pm

Title: Replace PIN with PGP-encrypted one-time passwords
Post by: kybzmsrf on August 14, 2013, 09:04 pm
I had been thinking about this months ago and now feel like bringing this up on the forums.

What's bugging me with the current "2 password system" is a) that you can't recover passwords, b) that people are vulnerable to phishing and c) that you can't recover a compromised account.
Also that some vendors consistently refuse to use PGP is ridiculous.

My thoughts:

If the upload of a PGP public key was made mandatory, all those problems would disappear.

- The PIN could be replaced by an encrypted one-time password. Meaning when you want to do whatever you'd need your PIN for, you'd be shown an encrypted PGP block containing a randomly generated password that you'd need to decrypt using your PGP private key. Then you use the decrypted password as what is now your PIN.

- In the same way it would be possible to change a lost password to a new one.

- It'd be impossible to fully compromise accounts via phishing or make them unrecoverable

- Obviously there wouldn't be any way around the usage of PGP for vendors

- A user's public key could be shown on the account profile and when you get a PM from another user. So you wouldn't need to include your public key when starting an encrypted conversation with someone.


As far as the compromising thing goes, of course this won't help those people with trojans on their system... But what would...

Of course people could also be given the choice if they want to rely on a PIN or rather upload a pub key and use much safer one-time passwords.
Title: Re: Make PGP use mandatory and replace PIN with encrypted one time passwords
Post by: VHSplayer on August 14, 2013, 10:39 pm
I think your idea about the encrypted one time passwords is a great idea! I'm not sure how hard that would be to implement, but I think people here would agree that it would be highly beneficial for security.

As for making PGP mandatory, I do not agree with that. Sure, most people use it and it is a great tool in keeping communication truly private. However, it is an individuals choice if they want to use it or not. If someone is willing to compromise their own well-being because they do not choose to use it, so be it - that is their decision.
Title: Re: Replace PIN with PGP-encrypted one-time passwords
Post by: kybzmsrf on August 16, 2013, 05:47 pm
Quote from: VHSplayer
As for making PGP mandatory, I do not agree with that. Sure, most people use it and it is a great tool in keeping communication truly private. However, it is an individuals choice if they want to use it or not. If someone is willing to compromise their own well-being because they do not choose to use it, so be it - that is their decision.

Well any vendor choosing not to use PGP doesn't put his own but his customers' security at risk.
I myself wouldn't order from any vendor who doesn't provide a PGP key, because they very likely don't take security serious in other matters as well. But there are people here who might at some point be forced to order from a vendor despite risking their security in the process. When you're addicted to drugs that come with major potentially dangerous physical withdrawal you might not have a choice. Imho vending on the Road comes with the responsibility of providing maximum security possible. And using PGP comes with a VERY reasonable amount of work!

I totally get your point, for me it's just that there's a huge gap between the values of saving 15 seconds of your time for de-/encrypting a PGP message and the risk of losing your freedom. Especially when the people whose freedom you put at risk make you a shitload of money.

Have a great weekend guys! :)