Silk Road forums
Discussion => Security => Topic started by: Muric on September 01, 2011, 06:19 am
-
I'm still working away at encyption and anonymity on the silkroad. ive managed, after several attempts, to get a private messaging account with TOR and can create public and private key blocks using PGA. Ive managed to send a few emails back and forward(to myself) with the keys and open them at the arrival account using the key. How do you use TOR PM with PGA. Can I use the public key block from an email account to encrypt my TOR PM's or do i have to create one specifically for TOR and if so, how do you create the key.
Also, how do you change your user name and password on silkroad, and the email address, etc on your profile. Posted most of this message on the technical support forum for over 24 hours. six views, no replies Does the option to change identity on TOR affect your identity on silkroad or the forums. Excuse my lack of knowledge but i want to get all this shit right b4 purchasing anything. keen to get shopping!!!! My Tor PM username is Radical2011 if u'd rather contact me that way. I've completely secured my firefox browser and just use ie for the normal stuff like facebook, you tube and non onion searches.
-
I'm still working away at encyption and anonymity on the silkroad. ive managed, after several attempts, to get a private messaging account with TOR and can create public and private key blocks using PGA. Ive managed to send a few emails back and forward(to myself) with the keys and open them at the arrival account using the key. How do you use TOR PM with PGA. Can I use the public key block from an email account to encrypt my TOR PM's or do i have to create one specifically for TOR and if so, how do you create the key.
Also, how do you change your user name and password on silkroad, and the email address, etc on your profile. Posted most of this message on the technical support forum for over 24 hours. six views, no replies Does the option to change identity on TOR affect your identity on silkroad or the forums. Excuse my lack of knowledge but i want to get all this shit right b4 purchasing anything. keen to get shopping!!!! My Tor PM username is Radical2011 if u'd rather contact me that way. I've completely secured my firefox browser and just use ie for the normal stuff like facebook, you tube and non onion searches.
OK, I'll bite...
PGP (GPG4win) has nothing to do with TOR. TOR anonymizes your LOCATION (IP address), not the traffic you're sending. SO, if you're connecting to a site through TOR, you should still use encryption and not send sensitive information. If you're connecting to .onion address, like SL or this Forum, encryption is not required, since TOR already encrypts traffic between all TOR relays.
Here's what you want to do:
Install Vidalia Bundle from tor site. This will permanently install Tor and the supporting stuff, and it will start Tor automatically.
Then, install FireFox, and the TorButton. Configure TorButton to start FireFox in TOR mode by default! Make https://check.torproject.org/ your default homepage, JUST TO BE SURE.
Install GPG4Win, and use the GPA (Gnu Privacy Assistant). It will ask you to create a new certificate (Set of keys, one public, one private). Create one. It will ask for email address, create an email account on TorMail ( http://jhiwjjlqpyawmpjx.onion/ ) and use that email in your certificate (it will integrate into Thunderbird nicely this way, and you will be able to send encrypted/signed emails straight from your desktop using an app rather than slow ass website).
BACKUP your key by right clicking on it (it will have the double yellow/blue icon next to it) and selecting Backup. Set your owner trust of that key to ULTIMATE (again, right click "set owner trust")... all this is done using GPA. Kelopatra sucks monkey ballz BTW, don't waste time.
Now you should have a pair of keys (certificate) and a corresponding email account.
Right click on your key again, select Export Keys. THIS WILL EXPORT THE PUBLIC KEY ONLY. Save to a file. THIS IS THEY KEY YOU GIVE OTHERS. THEY USE IT TO ENCRYPT MESSAGES TO YOU.
If you want to send an encrypted message to someone, you first have to import their key: copy the entire text of a key block into a file. Got to GPA, Menu: Keys=>Import Keys. Select the file. Now you'll see a new key in GPA with ONE BLUE KEY ICON next to it. That means you only have a public key. This is what you want.
CLick in menu: Windows -> Clipboard. Type a message in the window that shows up. CLick File->Encrypt. Select the key of a person you want to encrypt to. Your message will be replaced with encrypted version of it. Copy that, and send it to that person's email, or SL message, etc.
If you want to test your setup here's my public key and me tor mail email. Import the key, send me an encrypted message (DON'T forget to include YOUR public key in it). send it to gallanonim1115@tormail.net
I'll send you a reply, encrypted with your public key. I can explain setting up PGP in Thunderbird later. For now just install it and follow configuration instructions here: http://jhiwjjlqpyawmpjx.onion/help.html
AGAIN, DO NOT USE TOR BROWSER BUNDLE, it sucks for a desktop / laptop setup. Install vidalia bundle (without tor button, it will be an option in the installer). then install Firefox and the tor button using the button's website. This will start up tor automatically and it will be easier to setup other apps to use Tor, and you will not have to remember to start Tor everytime you want to use it.
My key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBE5DFpMBCAC0KYqhWVGnyabpTF8EixdFUX9DThJIxFE7Z+ji0sjBdAVWs0we
tfKwEbF+1hITbkxVv0S2Y/krhktrCsG5YPf4uXmqqFP7Kqx4q6/aM0S8n7cwWlGJ
hoMG9sUgAV5Dq1JMx8D2jwXrlzAh4dhFeErQ9AEkYBzTF0AkZH7mOnqTjhQSfKJs
4+Mwyj5NpEYBsT0M2FbgHYCaVCaMLFWzNdUOICvb+yWbYUAo1b51v6qa1NxyXasm
lizDUzouCAfCPtgGpNpyGh7dkK57wY/6zkiJbDqSN9YilFMB6fOOWoRY+BK0jzF3
45M2dIoTWng8dUP3DUK8j3v+BldtwRblkTYpABEBAAG0KEdhbGwgQW5vbmltIDxn
YWxsYW5vbmltMTExNUB0b3JtYWlsLm5ldD6JATgEEwECACIFAk5DFpMCGw8GCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEIILNXQpfGbpzPEH/1/SgYuzp01gefmr
AqwHVAeYPtA3FRC5XZfBFYkf5fxR1Zi40yp+9Sl3l4MUlEHpihtCU9ADRhpZaqSN
k/HEesZEb9pWRuINTnd4Ib+aJMNXa3WGOhGXmFg+skXJlR3e6bRR9cumsaZEb8B4
ugitg2jyVm3X+Ib9zdp1An4w8G3cy8aAa/kryOmTW0Zb/bZ2Opja5OsPpHoOl7FQ
mQk3Vjwd26qPF/LIl47B/5Trzl2wGaicXmUar5Ry2QwnsMByf2wJkalqUYCyYrNX
kQ+9Yw7zllLJwB4+CXxcALGdtKiYHnsa8YigmrvsekaV2YVgzMtOQroyq9Oewydo
hwgRgm0=
=th8L
-----END PGP PUBLIC KEY BLOCK-----
-
Thanks, I'll be in touch in a day or so. Again thanks for the info.
-
Everyone here says that traffic is encrypted to SR, but then Wikipedia has this to say about onion routing:
http://en.wikipedia.org/wiki/Onion_routing#Weaknesses
Exit node sniffing: An exit node (the last node in a chain) has complete access to the content being transmitted from the sender to the recipient; Dan Egerstad, a Swedish researcher, used such an attack to collect the passwords of over 100 email accounts related to foreign embassies.[2] However, this weakness can be overcome by employing end-to-end encryption (that is, encryption between the sender and the recipient), such as SSL.
Is there something different about SR - some added level of security, or am I missing part of the picture?
-
...Is there something different about SR - some added level of security, or am I missing part of the picture?
SR operates as a Tor hidden service [ www.torproject.org/docs/hidden-services.html ]. Connecting with a hidden service does not require exiting the Tor network (to the "clearnet") as surfing to a non-Tor hidden service site would.
Traffic that *does* exit the Tor network -- as in researcher Dan's example -- can indeed be sniffed unless SSL/TLS (e.g., https) is in use.