Author Topic: Good list of Marketplace features we should have.  (Read 280 times)

Vespco

  • Administrator
  • Newbie
  • *****
  • Posts: 16
    • View Profile
Good list of Marketplace features we should have.
« on: December 22, 2017, 06:44:01 PM »
I found this list and think it has provided some rather good suggestions for features of a privacy preserving marketplace. I've copied the feature list that I think apply to developing annularis.

https://www.reddit.com/r/DNMSuperlist/wiki/superlist/market-listing-criteria

  • You must implement 2-of-3 Multi-Signature.

  • No JavaScript on your market, except for warning users to disable JS if they have it enabled. If the user has enabled JavaScript while visiting your main page, he must be prompted a warning to set the security slider of the Tor browser to high along with a short description of how to do it.

  • Users have to set their public PGP key on their profile before they can make his first order.

  • You must offer all users 2FA with PGP. It has to be enforced for all vendors.

  • The PGP encrypted messages used for 2FA must contain a phrase similar to: 'Only valid for <all valid market addresses>' along with the default random passcode. If 2FA is set, the users should not be able to circumvent it and always be required to enter their password and the decrypted PGP passcode. Furthermore can the encrypted 2FA passcode only be valid for one login.

  • When a vendor wants to change his PGP key, he has to sign it with his old one. You can also display this signature publicly for users so they can check themselves that the vendor signed his new key with his old one.

  • Buyer and seller accounts are different. Buyer accounts cannot become vendor accounts.

  • The order notes, or whatever the message to the vendor is called on your market in which the customer sends his address to the vendor he is buying from, must be PGP encrypted by the user. If it is not, reject the message and tell the user that he has to encrypt his address as well as other sensitive data before sending it and link him to guides on how to properly do it. The checking can easily be done by looking at the beginning of the message and checking if it is the default string of PGP encrypted message (i.e. '-----BEGIN PGP MESSAGE-----').

  • Delete private messages and order details after a certain time period (not longer than 2 months).

  • Use of CSS to prevent reloading pages for small clicks. For example realize some functions like collapsing or expanding a box with CSS instead of reloading the entire page with every click.

  • For country drop-down lists: put the for example 3 most selected ones on top of the list and sort the rest to alphabetically. That way a good chunk of users do not have to scroll down to "United States" for example.

  • make page sizes as small as possible for quick loading.
« Last Edit: December 22, 2017, 06:48:19 PM by Vespco »

Keycart

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Good list of Marketplace features we should have.
« Reply #1 on: April 21, 2018, 11:37:36 AM »
The first time I read this list on reddit it was obvious the list was written by a person who heard something, somewhere, by someone which included the word security. In effect, this list does absolutely nothing for security.

The current 2FA on the darknet markets isn't 2FA at all. It is still very easy for a Man-in-the-middle attack to succeed. Your standard phising site still works without any issues. The only thing it does is take up valuable system resources, being annoying for the user, and give a false sense of security. Users may become complacent, which is very bad.

A simple and effective method to prevent/make it harder for accounts to be taken over is to have different User and Login names. And a simple PIN in order to make any changes to the account. Fairly similar to how it works on this very forum. PGP-keys expire, passwords get lost, shit happens. And they cannot be rebuilt like crypto-wallets. A simple PIN or secret phrase will only get lost if you have sudden specific amnesia, which is very unlikely to happen. ;)


Verifying if a message is PGP encrypted by searching for a string is wrong. It takes many system resources and accomplishes nothing. Users can simply copy/paste -----BEGIN PGP MESSAGE----- in front of their message. A better way would be to do an easy character count of the message. As every PGP message has a minimum amount of characters, depending on key-bit size. Added benefit is that you can enforce minimum key strength.


There is no benefit in forcing accounts to be Buyers or Vendors. Reputation is everything on the darknet, and not allowing a Vendor to buy something only creates opportunity for scammers/imposters.


A must have imo is a separate login url for the administrator. Preferably a random or custom one.

Forced logout after a while, say 1 hour or 30 mins. Mandatory for everyone, including Administrators.

There are certainly some more, and I could compile a proper feature list later. Which reminds me, is there a TODO, roadmap or Current/Future feature list somewhere? I couldn't find one.

Have a great day :)

Vespco

  • Administrator
  • Newbie
  • *****
  • Posts: 16
    • View Profile
Re: Good list of Marketplace features we should have.
« Reply #2 on: May 03, 2018, 02:25:00 PM »
Thanks for the in depth look, I would love to hear your additional thoughts on how to improve security/privacy/etc

I disagree about some of your points, and when I get the time I will further elaborate on it.