Annularis Forum

Annularis Marketplace Software => Feature Request => Topic started by: Vespco on December 22, 2017, 06:44:01 PM

Title: Good list of Marketplace features we should have.
Post by: Vespco on December 22, 2017, 06:44:01 PM
I found this list and think it has provided some rather good suggestions for features of a privacy preserving marketplace. I've copied the feature list that I think apply to developing annularis.

Title: Re: Good list of Marketplace features we should have.
Post by: Keycart on April 21, 2018, 11:37:36 AM
The first time I read this list on reddit it was obvious the list was written by a person who heard something, somewhere, by someone which included the word security. In effect, this list does absolutely nothing for security.

The current 2FA on the darknet markets isn't 2FA at all. It is still very easy for a Man-in-the-middle attack to succeed. Your standard phising site still works without any issues. The only thing it does is take up valuable system resources, being annoying for the user, and give a false sense of security. Users may become complacent, which is very bad.

A simple and effective method to prevent/make it harder for accounts to be taken over is to have different User and Login names. And a simple PIN in order to make any changes to the account. Fairly similar to how it works on this very forum. PGP-keys expire, passwords get lost, shit happens. And they cannot be rebuilt like crypto-wallets. A simple PIN or secret phrase will only get lost if you have sudden specific amnesia, which is very unlikely to happen. ;)

Verifying if a message is PGP encrypted by searching for a string is wrong. It takes many system resources and accomplishes nothing. Users can simply copy/paste -----BEGIN PGP MESSAGE----- in front of their message. A better way would be to do an easy character count of the message. As every PGP message has a minimum amount of characters, depending on key-bit size. Added benefit is that you can enforce minimum key strength.

There is no benefit in forcing accounts to be Buyers or Vendors. Reputation is everything on the darknet, and not allowing a Vendor to buy something only creates opportunity for scammers/imposters.

A must have imo is a separate login url for the administrator. Preferably a random or custom one.

Forced logout after a while, say 1 hour or 30 mins. Mandatory for everyone, including Administrators.

There are certainly some more, and I could compile a proper feature list later. Which reminds me, is there a TODO, roadmap or Current/Future feature list somewhere? I couldn't find one.

Have a great day :)
Title: Re: Good list of Marketplace features we should have.
Post by: Vespco on May 03, 2018, 02:25:00 PM
Thanks for the in depth look, I would love to hear your additional thoughts on how to improve security/privacy/etc

I disagree about some of your points, and when I get the time I will further elaborate on it.