Protecting Yourself: Using PGP to Verify Our Identity
It is not unexpected that unscrupulous scammers or competitors might either hack our website or create spoofed websites and claim to be us.
To combat this, we have included our PGP Public Key in every one of our automatic emails to you, such as those updating you on the status of your order.
This guide will help you understand what PGP is, how to use it to verify our identity, and provide alternative, less secure methods for verification within your browser.
What is PGP?
PGP, or Pretty Good Privacy, is a data encryption and decryption program that provides cryptographic privacy and authentication for data communication. It uses a combination of hashing, data compression, symmetric-key cryptography, and public-key cryptography to secure the contents of emails and other forms of communication. By using PGP, you can verify the identity of the sender and ensure that the message has not been tampered with.
How to Use PGP to Verify Our Identity
- Obtain Our PGP Public Key: Every email from us includes our PGP Public Key. Save this key to your PGP software or key manager. This key is crucial because it serves as the digital signature used to authenticate our communications.
- Install a PGP Tool: To use PGP, you’ll need a compatible tool or software like GnuPG, Kleopatra, or OpenPGP for email clients. These tools are available for most operating systems and are usually free to download.
- Import Our Public Key: Once you have the PGP tool installed, import our public key. This step allows your PGP tool to use our key to verify messages you receive from us.
- Verify Our Emails: When you receive an email claiming to be from us, use your PGP tool to verify the signature of the email. This involves using our public key to check that the message truly originates from us and has not been altered. If the verification is successful, the PGP tool will confirm the authenticity of the email.
- Look for Warnings: If the PGP tool shows a warning or error, this indicates that the message either does not match our public key or has been altered. In such cases, do not trust the content of the email, as it may not be from us.
By following these steps, you can ensure that the communications you receive are genuinely from us and have not been tampered with by third parties. PGP provides a robust method of securing our communications and maintaining trust between us and our customers.
Less Secure Alternatives: Online PGP Verification
For those who prefer a less secure but more convenient alternative, you can verify our PGP signatures directly within your web browser using online PGP tools. While these methods are not as secure as using dedicated software due to potential risks associated with online tools, they can be useful for quick verifications when no sensitive data is involved. Here’s how you can verify our identity using online PGP options:
Use a Trusted Online PGP Service:
- Websites like Keybase, PGPKeyCheck, or OnlinePGP.com offer browser-based PGP tools.
- Go to one of these sites and look for the “Verify Signature” or “Decrypt/Verify” options.
Copy Our PGP Public Key:
- Ensure you have our correct PGP Public Key from one of our templated emails.
- These online tools will often have a section where you can paste or upload the public key.
Paste the Email Content and Signature:
- Copy the email or message content and the PGP signature from the email you want to verify.
- Paste them into the designated fields on the PGP verification tool’s webpage.
Verify the Signature:
- Click the “Verify” button on the website.
- The tool will compare the signature with the provided message using our PGP Public Key.
- If the message is authentic, the tool will confirm that the message is signed by us and has not been altered.
Caution When Using Online Tools
Trustworthiness of the Service: Always use reputable and well-known online PGP services. Check reviews or community feedback to ensure the tool is widely trusted.
Avoid Sensitive Data: Since the verification happens on a third-party server, do not use this method for verifying highly sensitive or confidential information. These services are best used for non-sensitive communications.
Potential Risks: Be aware that online verification tools can be compromised, or your data could be intercepted. For higher security, always prefer local PGP software on your device.
Online PGP tools offer a balance of convenience and functionality, making them a good choice for quick identity verification tasks. However, they should not replace more secure methods when dealing with sensitive communications. By using these methods, you can help protect yourself from potential scams and ensure that the communications you receive are truly from us.