Silk Road forums
Discussion => Security => Topic started by: barmanon on July 22, 2011, 11:05 pm
-
Apologies for making a new topic when there are similar ones out there, but I have a pretty specific question I didn't see answered in the other threads, and I didn't want this post lost in there...
Anywho -- I'm wondering if someone can provide some help regarding the use of PGP keys. I've gotten far enough that I've got my key pair and a public key to provide others. I've imported the keys of some SR users I'd like to contact... I'm on a mac using GPG keychain access.
My actual problem is that I'm not seeing how to actually send secure messages to these users. My understanding is that I need a mail app... am I needing to set something up in thunderbird or another client? What am I missing about sending and receiving messages? I seem to have gotten everything else.
My secondary concern is that I still don't really know how secure each of these is in relation to each other... is hushmail secure enough to use on tor at the hushmail site? is pgp somehow used in conjuction with hushmail or other e-mail services?
What about SR messaging? can you send encrypted messages over SR at all? How is one really safer than the other since this is all on tor anyway?
As always, your help is appreciated.
-
I spent 2 days banging my head against the wall trying to get PGP to work with my MAC. It can be done and there are a lot of people here that have gotten it to work properly. Yes, you have to do everything in the mail client. encrypt, decrypt, you don't have to actually send the endcrypted/decrypted copy though.
I found it easier to get virtual box going and windows. It was much easier. took me about an hour to get everything set up. There are how to's to help you here. they are somewhere in the threads..
Good luck..
-
Hushmail was proven to be insecure a few years back when they took down a steroid suppler domestically. Basically if LE can compel them to show your mail, which they are able to see themselves already.
Hushmail uses PGP but it wasn't a flaw in pgp it was something else, if you google it it might be able to explain better. Some sort of backdoor thing I think.
Chronic that answers a question I was curious about, you have to use a mail program to encrypt your plain text then you just copypasta it over to the PM and clear the mail(not send it, just use the app as an encryptor) ?
-
Apologies for making a new topic when there are similar ones out there, but I have a pretty specific question I didn't see answered in the other threads, and I didn't want this post lost in there...
Anywho -- I'm wondering if someone can provide some help regarding the use of PGP keys. I've gotten far enough that I've got my key pair and a public key to provide others. I've imported the keys of some SR users I'd like to contact... I'm on a mac using GPG keychain access.
My actual problem is that I'm not seeing how to actually send secure messages to these users. My understanding is that I need a mail app... am I needing to set something up in thunderbird or another client? What am I missing about sending and receiving messages? I seem to have gotten everything else.
My secondary concern is that I still don't really know how secure each of these is in relation to each other... is hushmail secure enough to use on tor at the hushmail site? is pgp somehow used in conjuction with hushmail or other e-mail services?
What about SR messaging? can you send encrypted messages over SR at all? How is one really safer than the other since this is all on tor anyway?
As always, your help is appreciated.
I'm on a Mac and the GPG keychain access is a simple and great program.
Here's the "bundle" program download: http://www.gpgtools.org/ Take a look, if you have all this already installed (quite possible from what you've written) then proceed to next step.
Here is probably what is confusing you, I think it cost myself and chronicpain both about 2 days each: you can use your regular Mail app already on your Mac. You are only going to type the message on a "new message" template, then SELECT THE WHOLE THING, which is tremendously important because: IF YOU DON'T THE FUNCTIONS YOU NEED ARE INVISIBLE. Not greyed out, or unselectable, they actually don't show up at all; like they're missing. One of the great anachronisms of PGP.
Once you have the message typed on the "new message" template AND ALL COPY/PASTE SELECTED go to:
Mail>Services>PGP encrypt. At the "pgp encrypt" level menu you will see all the other functions as well: decrypt, import key, sign, verify, etc etc.
Try it out and see if you can get a message to encrypt. If so, then we can proceed from there...
As for Hushmail and Tor: Hushmail uses an encryption system, but ONLY INTERNALLY. So, when you send a message to another Hushmail user, it's encrypted, but NOT with PGP or any other unbreakable cipher. AND...best of all...Hushmail has a policy where they don't even require LE to get a warrant. The DEA just goes to Hushmail, politely tells them which accounts they want to see, and Hushmail shows them to them. This is not anecdotal information. I went thru this process with Hushmail in 2005.
As long as you use PGP whenever you are transmitting sensitive info over a Tor network or the clearnet, the gov't can't break it. If they could, I am sure they would have way back when they had a bunch of folks they wanted to see their files. Basically, if you refuse to give them your passkey phrase, they are SOL as far as PGP messages go.
-
I don't use mail apps: I bounce between windows 7 and linux...right now I'm using debian. If you *want* to use a mail app, you can...but I just encrypt the message as a document and post it that way. Hell, in PGA--rather than Kleopatra--I just use the clipboard, type up my message and encrypt it...then I can copy/paste it to pm's or email or whatever I want...if you're talking specifically email, there are some cool mail apps to use it with, but again: easier for me to just type up as doc, no matter what key manager I'm using...not sure if this is what you are asking, but since everybody is talking about mail apps, and your question sounded a bit more general...
If you post your public key here, we could send you some msgs you could decrypt...or post our public keys...is that what you are asking, or do you specifically want the email apps, as they include provisions for doing it within the program itself...but again, I just encrypt it and paste it, no matter how I'm sending...