Silk Road forums
Discussion => Newbie discussion => Topic started by: perplexedstapler on August 15, 2013, 10:01 pm
-
Question for the security and pgp experts here...
Let's say that you placed an international order and it got held up at customs, and the vendor announced a few weeks later that they had an issue with their shippers and many packages in the last few weeks were either the incorrect items or sent to the wrong customer.
The vendor then says that they will re-ship but you need to send your address again, and that they changed pgp keys due to getting a new computer (why they didn't export/import/backup somewhere I don't know).
Am I being paranoid or is the pgp change just a little sketchy?
Thanks in advance
-
I'm newbie as well, but isn't the easiest way to just stop ordering from that vendor and wait to see what's going to happen?
-
Changing PGP keys by itself wouldn't really raise flags. It's also possible that his (or her) computer crashed and they lost all their data, including their pgp key. And if that's not backed up somewhere it's (as far as anyone is aware) impossible to determine the private key from a given public key. Admittedly my pgp key that I use here isn't backed up but my actual pgp key is backed up in like 3 places, including off site, and printed and kept in a fire safe. Actually I intentionally don't back up anything related to this account. Fortunately I've typed my passwords enough times I've started to remember them.
The rest of the story... I can't really say (my day job is with computers so I have a good understanding of that stuff). Perhaps other customers will come back and be like "yeah I still trust him" or "stay away from him" or something.
-
In the real world, the key is supposed to map to the sender's name and email address used, it's one way you can validate the pgp message comes from the person sending it. If you want to change the name or the email address used to create the key, you can't so you need to make a new key.
SR is slightly different because the messages are being sent from account to account, so you don't really need to validate the key to confirm identity (although I can think of some exceptions where vendors might want to validate the key against previously held keys).
Keys can expire and in some cases they should. The older the key, the more chance that it's easier to crack, so periodically changing your key and upgrading the encryption makes sense.
In this case though I'd say it's because of the tormail problem the other week and the vendor has just created a new key with their new details.
However, the account may have been captured by LE and they've created a new key so they can nail all those unwary souls who order through them. Pick your option depending on your level of paranoia. ;)
-
In this case though I'd say it's because of the tormail problem the other week and the vendor has just created a new key with their new details.
However, the account may have been captured by LE and they've created a new key so they can nail all those unwary souls who order through them. Pick your option depending on your level of paranoia. ;)
These were the exact two scenarios I was trying to decide between :)
It would be easier if the vendor hadn't had any other problems such as "shippers they use screwing up many of the orders in the past 3-4 weeks and needing to resend all or many of those orders."
-
very interesting
-
I'd be wary that the account had been taken over.
Wait and see.