Silk Road forums

Discussion => Newbie discussion => Topic started by: perplexedstapler on August 15, 2013, 10:01 pm

Title: should i be alarmed if a vendor changes their pgp key?
Post by: perplexedstapler on August 15, 2013, 10:01 pm
Question for the security and pgp experts here...

Let's say that you placed an international order and it got held up at customs, and the vendor announced a few weeks later that they had an issue with their shippers and many packages in the last few weeks were either the incorrect items or sent to the wrong customer.

The vendor then says that they will re-ship but you need to send your address again, and that they changed pgp keys due to getting a new computer (why they didn't export/import/backup somewhere I don't know).

Am I being paranoid or is the pgp change just a little sketchy?

Thanks in advance
Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: CityWok on August 15, 2013, 10:48 pm
I'm newbie as well, but isn't the easiest way to just stop ordering from that vendor and wait to see what's going to happen?
Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: dotgoat on August 15, 2013, 11:02 pm
Changing PGP keys by itself wouldn't really raise flags.  It's also possible that his (or her) computer crashed and they lost all their data, including their pgp key.  And if that's not backed up somewhere it's (as far as anyone is aware) impossible to determine the private key from a given public key.  Admittedly my pgp key that I use here isn't backed up but my actual pgp key is backed up in like 3 places, including off site, and printed and kept in a fire safe.  Actually I intentionally don't back up anything related to this account.  Fortunately I've typed my passwords enough times I've started to remember them.

The rest of the story... I can't really say (my day job is with computers so I have a good understanding of that stuff). Perhaps other customers will come back and be like "yeah I still trust him" or "stay away from him" or something.
Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: abby on August 15, 2013, 11:30 pm
In the real world, the key is supposed to map to the sender's name and email address used, it's one way you can validate the pgp message comes from the person sending it.  If you want to change the name or the email address used to create the key, you can't so you need to make a new key.

SR is slightly different because the messages are being sent from account to account, so you don't really need to validate the key to confirm identity (although I can think of some exceptions where vendors might want to validate the key against previously held keys).

Keys can expire and in some cases they should.  The older the key, the more chance that it's easier to crack, so periodically changing your key and upgrading the encryption makes sense.

In this case though I'd say it's because of the tormail problem the other week and the vendor has just created a new key with their new details. 


However, the account may have been captured by LE and they've created a new key so they can nail all those unwary souls who order through them.  Pick your option depending on your level of paranoia. ;)



Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: perplexedstapler on August 16, 2013, 06:45 am
In this case though I'd say it's because of the tormail problem the other week and the vendor has just created a new key with their new details. 


However, the account may have been captured by LE and they've created a new key so they can nail all those unwary souls who order through them.  Pick your option depending on your level of paranoia. ;)

These were the exact two scenarios I was trying to decide between :)

It would be easier if the vendor hadn't had any other problems such as "shippers they use screwing up many of the orders in the past 3-4 weeks and needing to resend all or many of those orders."
Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: bigbadwolff on August 16, 2013, 08:41 am
very interesting
Title: Re: should i be alarmed if a vendor changes their pgp key?
Post by: stiggs on August 16, 2013, 04:20 pm
I'd be wary that the account had been taken over.
Wait and see.