Silk Road forums
Support => Technical support => Topic started by: mazzarmazzar on July 30, 2012, 04:29 pm
-
Is privnote safe to use? Havent tried it just wanted to check first
-
No it ain't.
-
How come?
-
No it's not. You have no proof they actually delete the messages, it's unlikely that they do, for legal reasons. (Say you sent someone a message saying you had his kids and wanted money, the FBI would need access).
However it's more secure than using a PGP message on it's own.
-
You have to TRUST them that they are doing their job to make it secure. Do you trust them? It could be the greatest honeypot on tor. Remember hushmail.
-
Thanks for bringing this up, I was curious about the same. And as stated , there's probably no way messages are deleted. I wouldn't put it past certain groups from setting something very similar up. All it would take is a bit of SEO work, and bam, its popular. I know a few who use SR, and they do not take the needed precautions. As for myself, I am just now forcing myself (Yes, Im usually lazy) to learn such things as encryption. Just started to use a USB with Tor. And I just finished moving nearly 1 TB worth of stuff to an external drive. It's funny how sloppy one can get when one gets too comfortable.
-
Thanks for bringing this up, I was curious about the same. And as stated , there's probably no way messages are deleted. I wouldn't put it past certain groups from setting something very similar up. All it would take is a bit of SEO work, and bam, its popular. I know a few who use SR, and they do not take the needed precautions. As for myself, I am just now forcing myself (Yes, Im usually lazy) to learn such things as encryption. Just started to use a USB with Tor. And I just finished moving nearly 1 TB worth of stuff to an external drive. It's funny how sloppy one can get when one gets too comfortable.
Yep, and it's funny how the tiny things you didn't think were important from ages ago are the things that trip you up. It's never the big mistakes that trip you up, always the little ones.
-
Thanks for bringing this up, I was curious about the same. And as stated , there's probably no way messages are deleted. I wouldn't put it past certain groups from setting something very similar up. All it would take is a bit of SEO work, and bam, its popular. I know a few who use SR, and they do not take the needed precautions. As for myself, I am just now forcing myself (Yes, Im usually lazy) to learn such things as encryption. Just started to use a USB with Tor. And I just finished moving nearly 1 TB worth of stuff to an external drive. It's funny how sloppy one can get when one gets too comfortable.
Yep, and it's funny how the tiny things you didn't think were important from ages ago are the things that trip you up. It's never the big mistakes that trip you up, always the little ones.
Exactly. It's like using torrents, another good example. Everyone I know who uses them, they refuse to protect themselves the best they can. "Millions of people... they won't catch me!"
And I'm the paranoid freak because I offer to install the progs, and show them how to use them properly. ::)
-
No it's not. You have no proof they actually delete the messages, it's unlikely that they do, for legal reasons. (Say you sent someone a message saying you had his kids and wanted money, the FBI would need access).
However it's more secure than using a PGP message on it's own.
What do you mean its more secure then using a PGP message on its own? Sending the PGP message over PrivNote ?
From my investigation of PrivNote its default key generation algorithm is pretty weak, and semi-possible to guess, albeit difficult, due to a long standing open Issue in with Firefox. The fact that its entirely client side Javascript makes it a bit more robust then it gets credit for though.
The idea of PrivNote being a honeypot seems a bit out there to me, but who knows. I can say at the time I inspected the traffic PrivNote never had the decrypted-text, as the encryption is done entirely client side, as well as the Key which is never transmitted to their servers. Using the script I have below it would be nearly impossible for PrivNote to ever decrypt your text without the hash in the URL or AES-256 being broken.
Awhile ago for the hell of it created a GreaseMonkey script that greatly enhances the security of PrivNote through strengthening the key generation. But I'd still highly recommend GPG over PrivNote.
http://dkn255hz262ypmii.onion/index.php?topic=30328
TL;DR Join Pine's PGP Club, or Message me and i'll gladly help you with your GPG/PGP problems and get you on your way to better encryption.
-
Yes, I meant send the PGP message through privnote. The only reason I said this was because I guess it gives you the added security that the message is deleted straight away and not viewable by anyone, and since it's PGP encrypted even if Privnote did keep the messages it would be worthless to them.
I've seen people accidentally post their private keys here, and it wouldn't be too hard to add to my keychain then get access to their account and then read all their messages, it's happened before.
No it's not. You have no proof they actually delete the messages, it's unlikely that they do, for legal reasons. (Say you sent someone a message saying you had his kids and wanted money, the FBI would need access).
However it's more secure than using a PGP message on it's own.
What do you mean its more secure then using a PGP message on its own? Sending the PGP message over PrivNote ?
From my investigation of PrivNote its default key generation algorithm is pretty weak, and semi-possible to guess, albeit difficult, due to a long standing open Issue in with Firefox. The fact that its entirely client side Javascript makes it a bit more robust then it gets credit for though.
The idea of PrivNote being a honeypot seems a bit out there to me, but who knows. I can say at the time I inspected the traffic PrivNote never had the decrypted-text, as the encryption is done entirely client side, as well as the Key which is never transmitted to their servers. Using the script I have below it would be nearly impossible for PrivNote to ever decrypt your text without the hash in the URL or AES-256 being broken.
Awhile ago for the hell of it created a GreaseMonkey script that greatly enhances the security of PrivNote through strengthening the key generation. But I'd still highly recommend GPG over PrivNote.
http://dkn255hz262ypmii.onion/index.php?topic=30328
TL;DR Join Pine's PGP Club, or Message me and i'll gladly help you with your GPG/PGP problems and get you on your way to better encryption.
-
gpg uses two-factor authentication, a private key on its own is relatively useless
Until you see them post their private key accidentally in a forum post or message, and then their public key is in their signature on in one of those PGP threads. Does happen, you'd be surprised, PGP is very complicated for some people.
-
lolwut? the public key can be derived from the private key anyway, the second authentication factor is the password since the armored private key is symmetrically encrypted with it
Yeah, so then use their username as password, or 123456 or silkroad or even brute force it and hey presto.
-
picking a shitty password is user error, not a failing of gpg
Yeah of course, but loads of people do it. It's human nature. The amount of threads I've seen with people saying:
"boo hoo I got hacked"
"what was your password?"
"my name.... :'("
Also phishing happens a lot to the domain on Wikipedia etc.
-
I've seen people accidentally post their private keys here, and it wouldn't be too hard to add to my keychain then get access to their account and then read all their messages, it's happened before.
Like Shannon has mentioned it isn't really a failing of PGP if somebody accidentally posts their private key and their passphrase isn't secure. If you are following best practices and create a master keypair and two subkeys for encrypting and signing then if you accidentally post your private key you could easily revoke the cert. Most people use their master key and when that is compromised then you are boned.