Unpopular Opinion: PGP is Overrated and Misused by 90% of People Here : CafeDread | Torhoo darknet markets
So my buddy — we’ll call him “Captain Darknet” — thought he was the king of Opsec. He’d encrypt every message with PGP like he was smuggling CIA secrets.
He even signed his feedback like anyone cared:
-----BEGIN SIGNED MESSAGE-----
“10/10 stealth, will buy again”
-----END PGP SIGNATURE-----
Bro was encrypting his thank yous. But here’s the plot twist:
He was doing it all from his Android phone...
On public Wi-Fi at Starbucks...
Using some random free PGP app from the Play Store… with ads.
No VPN. No Tor. Just vibes.
Vendor got busted. Now he’s wondering if GCHQ is going to decrypt his order history or just laugh themselves into retirement.
Listen, I’m not saying PGP is useless. It’s not.
But if your idea of OpSec is “encrypting dumb shit” while using Telegram and Google Drive, you’re not safe —
You’re just decorating your coffin with base64.
---
✅ Want real OpSec?
Head to
https://torhoo.cc/go.php?u=TDJRdmIzQnpaV009# and actually learn how to protect yourself before you end up as the subject of one of these posts.
PGP is great.
Your hygiene? Probably trash.
Change my mind.
It's interesting feature Kleopatra by default would encrypt for yourself the messages you write to the other party. I would say that shouldn't be the default state at all. While it's great for being able to follow up on conversations a feature like that would render any future implementation of PFS useless.
Come to think of it I don't know any other PGP software that does this by default and I haven't actually seen this discussed anywhere on Dread. Definitely something people should be mindful of.
In some conversations signing and encrypting to your self and others has the benefit that you can decrypt, and also show receivers that you are the sender.
When sending sensitive information like names and addresses it's not wise to sign and encrypt to your self, plausible deniability flies out of the window, you have stamped it with your "fingerprint".
It's kind of obvious when it comes to signing. As for encrypting to yourself, there's a couple of strategies to mitigate the risk. One is to create a short-lived, separate encryption key that you don't expose anywhere online. Encrypt your own messages with it so you can read them later without exposing yourself as a recipient (and probable author). Another way is to hide recipient fingerprints with the "--throw-keyids" option, so they can't be harvested for metadata analysis. Both these methods won't cover a seizure-level threat model. But it could be enough for buyers.
of course a newly generated random session key would be needed for every new trade
This would be difficult for darknet though. Part of why PGP is popular here is because we can do the encryption ourselves, from open-source software. We can't trust the market to automatize things for us. That being said it could make sense for a concerned buyer to use throwaway accounts and keys for each buy. A private key is definitively an identifying feature. It doesn't sound that useful to stick with it only for reviewing orders.