User Controls

Site Feature: PGP Keys

  1. #1
    Lanny Bird of Courage
    You know what's a good idea? PGP signing/encryption. Not only is it useful to you because it allows you to be sure neither I nor anyone else is snooping on your PMs or fraudulently editing your posts, but it's also beneficial to us as a society to have infrastructure in place for secure communication. By the nature of key exchange waiting until you need secure communication is waiting too long, if you wait to establish a secure communication channel until your medium is compromised then it will be impossible to do secure key exchange afterwards.

    For the moment I've added the feature of allowing users to add their PGP public key to their user profile where other users can record it and subsequently use it to verify signed content and send encrypted private messages. Actual encryption/decryptions/verification/signing needs to be done by you as there are good reasons why you don't want to trust my code to do that kind of thing. Right now the only thing that NiS does is facilitate key exchange by allowing you to list your public key on your user profile.

    As such, using PGP crypto will require a little setup. The appropriate software to use differs by platform, there are a number of implementations available which are all interoperable but I'll list the the most popular ones here:

    Windows
    Gpg4win
    Download: https://gpg4win.org/download.html
    Getting Started: https://www.deepdotweb.com/2015/02/21/pgp-tutorial-for-windows-kleopatra-gpg4win/

    OSX
    GPG Suite
    Download: https://gpgtools.org/
    Getting Started: https://www.deepdotweb.com/2015/02/20/pgp-tutorial-os-x/

    Linux
    GPG (common package names are "gpg" and "gnupg")
    Download: Your distro's package manager
    Getting Started: https://www.gnupg.org/gph/en/manual/c14.html

    A super quick rundown of the ideas involved:

    "signing" is the process of adding information to a piece of content that anyone can read such that others who know your public key can verify that it has not been tampered with. This prevents tampering but does not prevent anyone from reading the message. Signing your posts on the public boards is probably what you want to do: everyone can read your posts but I or the CIA or hackers or whoever can't edit your post without it subsequently failing verification.

    "encryption" is the process of taking a message destined for one or a few known recipients and making it unreadable to anyone except those recipients. This is what you want to do when using PMs as the forces that be will be unable to either manipulate or read your message.

    Signing is a process done with your private key, verification is done by others with your public key to ensure you're actually the author of the message. Encryption is a process done with your recipient's public key, the recipient decrypts your message with their secret key.

    As always I want to point out what this process means in terms of trust and what kind of evil things I'm able to do. When you exchange keys over NiS you need to be convinced that the public key you list is the key that others receive, and likewise that the keys you collect from other posters are really their keys. I can "man in the middle" the exchange to some extent, accepting your public key but then distributing my own key to others and this would allow me to eavesdrop on you. I'm working on a way to help detect if this kind of thing is happening (essentially a list of all keys which you can download to verify your own key is faithfully transmitted and detect if anyone else's key as changed). You can still do key exchange through channels outside of NiS and there's nothing wrong with that, I'm simply putting this option out there for ease of use or for those who think the service is trustworthy today but may be compromised in the future (which is the use-case I'm usually thinking about).

    It's not a very sophisticated system and there are plenty of sharp corners in remaining in the user experience. Going forward I'll be looking at things like making signing more cosmetically palpable (hiding signature/encryption headers/footers until a user initiates verification), potentially something like automatic signing/verification and encryption/decryption but to be even remotely secure it would have to be implemented though userscripts or browser extensions. But the central thing I'd urge is to generate a key and record other people's keys now, keeping a record of public keys in a place I can't manipulate them (on your computer) is a big step to limiting the amount of useful information I can be compelled to turn over.

    P.S. I only tested the key submission form with keys my tools produced and wasn't able to find any clear format specification for keyfiles, if your software is producing output and you're not able to submit it on your profile page let me know.
    The following users say it would be alright if the author of this post didn't die in a fire!
  2. #2
    aldra JIDF Controlled Opposition
    nice, but that's a long post about adding a text field to our user profiles

    ps. IF YOU USE PGP FOR TOR MARKETPLACES OR ANYTHING OF QUESTIONABLE LEGALITY DO NOT POST THAT KEY HERE. GENERATE A NEW ONE.
    The following users say it would be alright if the author of this post didn't die in a fire!
  3. #3
    Cootehill African Astronaut [my unsymmetrically blurry oregano]
    Originally posted by aldra ps. IF YOU USE PGP FOR TOR MARKETPLACES OR ANYTHING OF QUESTIONABLE LEGALITY DO NOT POST THAT KEY HERE. GENERATE A NEW ONE.

    Goddam, that's a good point.
  4. #4
    aldra JIDF Controlled Opposition
    genuinely surprised it bothers validating
  5. #5
    Rock_N_Rollover African Astronaut [my obsessively old-time raunch]
    Just fix the timeless edit function. Three minute max.


    Hell, I just went back and edited my very first post here.
  6. #6
    aldra JIDF Controlled Opposition
    that's fine, the posts get marked as edited so people know it's been changed

    I tihnk you have a timeout of 5 minutes or so after you create the post to be able to update it without getting the EDIT footer attached
  7. #7
    Lanny Bird of Courage
    Originally posted by aldra nice, but that's a long post about adding a text field to our user profiles

    Yeah, it is. Like I said, pretty unsophisticated at the moment but I'm looking to build out some more features around it, but it serves as a talking point to motivate people to exchange keys in any case.

    Originally posted by aldra genuinely surprised it bothers validating

    I figured there was like a 99% chance it was going to be used for some stupid meme-y shit if I just let it be free text entry.
  8. #8
    benny vader YELLOW GHOST
    Originally posted by Rock_N_Rollover Just fix the timeless edit function. Three minute max.


    Hell, I just went back and edited my very first post here.

    this is exactly why you people need to be balkanized inside a special subforum specially made for you and your people.
  9. #9
    aldra JIDF Controlled Opposition
    Originally posted by Lanny I figured there was like a 99% chance it was going to be used for some stupid meme-y shit if I just let it be free text entry.

    in the immortal words of Tom Jones,

    "you weeeeen, but I have MORE CHALLENGE"
  10. #10
    Rock_N_Rollover African Astronaut [my obsessively old-time raunch]
    Originally posted by benny vader this is exactly why you people need to be balkanized inside a special subforum specially made for you and your people.

    Cool.

    Just keep your bitch ass out and we'll be fine.
  11. #11
    Cootehill African Astronaut [my unsymmetrically blurry oregano]
    You need to implement some text-overflow for that content - it overflows my phone screen.

    https://www.w3schools.com/cssref/tryit.asp?filename=trycss3_text-overflow

    Copy to clipboard would also be nifty.
    https://www.w3schools.com/howto/howto_js_copy_clipboard.asp
  12. #12
    mmQ Lisa Turtle
    How important is this for me to do, objectively?
  13. #13
    Great work Com-Lan!

    Now further fortify the Sputnigger with 2-FA (if you would, kindly) and we will be IMPENETRABLE upon approach of the Mongolvoid.


    (It's probably unpractically difficult to implement on a BBS tho)
  14. #14
    I'm doing this wrong more than likely, but I'm copy pasting my key into the text field and it's saying invalid submission, that it's expecting an armoured entry..?
  15. #15
    aldra JIDF Controlled Opposition
    Originally posted by DietPiano Now further fortify the Sputnigger with 2-FA (if you would, kindly) and we will be IMPENETRABLE upon approach of the MONGOLVOID!!


    (That's probably unpractically difficult to implement on a BBS tho)

    it's actually pretty easy, doubt anyone would actually use it though
  16. #16
    aldra JIDF Controlled Opposition
    Originally posted by DietPiano I'm doing this wrong more than likely, but I'm copy pasting my key into the text field and it's saying invalid submission, that it's expecting an armoured entry..?

    gpg --list-keys


    find your personal key in the list, take not of name (uuid)

    gpg -a --export uuid


    the -a flag creates an 'armored' version of the key because the raw key will have invalid characters in it
  17. #17
    Lanny Bird of Courage
    Originally posted by DietPiano I'm doing this wrong more than likely, but I'm copy pasting my key into the text field and it's saying invalid submission, that it's expecting an armoured entry..?

    There's actually a good chance that I made the validation too strict, I'm not 100% sure what is and isn't permitted so if you have anything that isn't B64 or newline characters following the header then it will reject it. Can you post or PM me your key?
  18. #18
    Madman African Astronaut
    Lanny is asking for private keys, take note.
  19. #19
    benny vader YELLOW GHOST
    Originally posted by Lanny There's actually a good chance that I made the validation too strict, I'm not 100% sure what is and isn't permitted so if you have anything that isn't B64 or newline characters following the header then it will reject it. Can you post or PM me your key?

    i used the key you posted in your OP and it says its invalid.
  20. #20
    Lanny Bird of Courage
    Originally posted by benny vader i used the key you posted in your OP and it says its invalid.

    I didn't post a key in my OP tho?
Jump to Top