Two checks before I type a Nexus password
Both take under a minute and both have caught something for me at least once. If you only pick one, the captcha match is the faster one, and it is what stops most attempts. The PGP path is what makes the captcha check trustworthy in the first place.
When you land on the Nexus login, there is a captcha image between you and the password field. Somewhere inside that image, the operator paints the current onion address. Read those letters. Compare them to what is in your URL bar. If both strings match, character for character, you are on a mirror the operator wanted you to be on. If they do not, close the tab.
This works because a phishing clone cannot easily regenerate a fresh captcha with the fake onion painted into it in real time. Most clones bake one static image and never touch it. The address inside their captcha stays the real one even while the URL bar shows the fake one, which is exactly what the check catches.
Every time the primary onion moves, the operator publishes a signed message with the new address. You verify that signature against the operator's public key. If it validates, the new address is trustworthy, and you save it. If it does not, the message is fake and the address inside is worthless.
Concrete steps.
- Save the operator public key into a file called
nexus.asc. Import once withgpg --import nexus.asc. - Save the signed announcement into
rotation.txt. Include the whole envelope fromBEGIN PGP SIGNED MESSAGEtoEND PGP SIGNATURE. - Run
gpg --verify rotation.txt. You want a line that saysGood signature. - Compare the onion inside the message to what you were about to bookmark. Match wins, mismatch means the address does not belong on any list.
You import the operator key one time. After that, every future rotation gets verified against the key already in your ring. No forum, no directory and no chat handle can force a fake address on you once you have the key on file.