Onion Market - the newest shit-tier low-effort marketplace to hit the darknet

Market link for those who haven't seen this abomination yet

Here are my problems with Onion Market.

First off, I went to the marketplace approximately 3 hours after it was first posted on reddit, and it was already in "maintenance mode" which was unsettling for the security of the market, to say the least.

Then after a while it was functioning, so I signed up and poked around a bit and saw a few other startling things. From their FAQ:

Does Onionshop use an escrow system?

No. Even though escrow is favourable when dealing with low-reputation vendors, it brings more problems than it solves. There will always be the possibility that those funds get lost or stolen, which happened over and over in the past. In cases of good vendor/buyer-relationships, there is no point in parking the coins on a less thrustworthy spot in the middle. That is why Onionshop doesn't hold any coins at all, the customer transfers the specific amount directly to the vendors BTC-Address. Onionshop automatically keeps track on incoming payments and assigns them to the particular order, but without having access to the funds.

So apparently multisig was too hard to code? Even a traditional escrow was too hard to code? NO. EFFORT. AT ALL. Also, consider this: the site takes a fee out of all orders placed on-site. So how do they make you pay that fee without doing it automatically through escrow? They use the fucking honor system. ARE YOU SHITTING ME RIGHT NOW?!

How does Onionshop assures data security?

The best way of keeping data safe is not storing any readable data in the first place. While many customers use PGP anyway, Onionshop automatically encrypts the address-infos of those who dont use it. Not a single address is stored in plaintext on our server. Even for messages Onionshop provides a convenient way to auto-encrypt if desired, diminishing the thread of leaking data even more. The fact that Onionshop doesn't hold the bitcoins, makes it also less a target for hackers or federal investigators.

What they're basically saying is "yeah, send your unencrypted address to our server! we promise we'll encrypt it, no need for you to take any steps for your own safety!" This attitude is toxic and promotes irresponsible behavior. The address is encrypted serverside and the server admins can see it before it's encrypted and stored if they so choose.

Also, they make no effort to force you to use PGP. On one page, you can message the admins and you have the option to encrypt it. (As far as I know, they don't actually list their public keys anywhere, either. So you have to use their shitty in-built encryption.) Pic

Their download section is also pretty awful, dangerous, and irresponsible. They created their own PGP tool and recommend that you download an EXE from an onion site and run it on your home computer. And they fail to mention that there are already dozens of tools out there that are purpose-built for PGP, instead pushing their own shady looking tool on you. They do, however, include the source, but no MD5s to prove that the .exe listed is the same one the source code creates.

On top of their abysmal security practices, the admin also seems to be rude, unhelpful, and speaks rather unprofessionally. Here are some pics. In the last one it also seems he can't even stop his site from being taken down, lol.

Another thing I noticed while navigating this site was that there was nowhere I could put a PGP key in. Maybe I just missed it (which, if I did, goes to show how hard this site is to navigate) but either way, not cool.

The marketplace itself, like, the product browser, isn't bad. It's really big and, like a lot of other things on the site, clunky and hard to use though. Although, when you consider there's no escrow on site, it's totally fucked anyway.

The last thing I'm gonna list here (until I find more shitty aspects of their site to bitch about) is the fact that they have a clearnet site, onionmarket.org. I know many of you don't frown upon this, but personally, I definitely do. Much like their policies on message encryption, they seem rather lax in their security.

tl;dr Onion Market is a disgrace, and it is the opinion of me and my lawyers that the head admin should sodomize himself with a retractable baton

Edit: Looks like I was right, he can't code for shit. 1 2


Comments


[15 Points] None:

I started laughing at the *.exe file.


[10 Points] Dunavo:

I luffs chu.


[9 Points] Trappy_Pandora:

This is a good post.


[5 Points] blackkklabel:

Dude, I dont have to do any knowledge of the darknet? Where do I sign up?!

Sounds like a scam site aimed to target the newbz coming in that dont want to learn or can't understand how the darknet works... I bet 0.035 BTC that he's actually selling a variety of onions on his market... trololol


[1 Points] None:

[deleted]


[2 Points] HappyShibe-:

ehhehehehe


[0 Points] obsidianchao:

I wish I could upvote this post more, seriously.


[1 Points] None:

I am an Internet Accredited lawyer and I support DOZENS_OF_BUTTS message. I am also a doctor.


[1 Points] g0_west:

I dont think its a fair point to bitch about them having server side encryption, if they kept everything in cleartext it would be so much worse


[-3 Points] _gotwild_:

I created an account just to upvote this


[-9 Points] Onionshop-org:

Well as they say there is no such thing as bad feedback, i will have to thank you for the influx of new users caused by your thread. Even though you fud a lot, you seem to have put a lot of effort in your investigation of OS and i respect that, so I took the time to reply to your concerns.

First off, I went to the marketplace approximately 3 hours after it was first posted on reddit, and it was already in "maintenance mode" which was unsettling for the security of the market, to say the least.

How does this say anything about security.

So apparently multisig was too hard to code? Even a traditional escrow was too hard to code? NO. EFFORT. AT ALL.

We believe tradtitional escrow is shit, I wonder how many times do marketplace owners need to fuck with peoples escrow until this becomes comon sense. If you are dealing with trusted vendors, direct BTC transfer is the safest and smoothest way to make the payment, no trust needed in the marketplace at all. We have had about 400 transactions to this day, total count of scams: 1 (we stayed in close contact with the customer to support him as best as we could and banned the vendors ass after we smelled his shit). Even feedback below five stars can be counted on one hand. shit runs smooth no matter what your opinion on FE is. We are not against Escrow in general and will probably implement an escrow system of some sort in the future, as an optional feature for vendors, but we dont see a big urge to hurry with that.

We have the AMVD database integrated to further provide safety and transparency about the vendors who are with us and distinguish between new vendors and the reputable ones. we will soon close open vendor registration and will only allow vendors to register if they have a good history, to diminish scamming to a minimum.

Also, consider this: the site takes a fee out of all orders placed on-site. So how do they make you pay that fee without doing it automatically through escrow? They use the fucking honor system. ARE YOU SHITTING ME RIGHT NOW?!

honor system? the fuck are you talking about, vendors have an account balance, where fees are deducted from. They can make payments directly to their balance, after the orders are processed, so no paying upfront. Pretty saaweet if you ask me.

What they're basically saying is "yeah, send your unencrypted address to our server! we promise we'll encrypt it, no need for you to take any steps for your own safety!" This attitude is toxic and promotes irresponsible behavior. The address is encrypted serverside and the server admins can see it before it's encrypted and stored if they so choose.

Well, what we were actually trying to say is "yeah we know most of yall dont use PGP, so we implement a feature to at least encrypt those messages, too." We didnt emphasize enough that serverside encryption is still less safe than encrypting it yourself though, so i'll give you this one and will update the FAQs. When you place an order though, there is this text above the address field:

"address will be PGP-encrypted automatically, although we recommend you to encrypt it also by yourself to improve security. (link to Vendor PGP)"

so theres that.

Also, they make no effort to force you to use PGP. On one page, you can message the admins and you have the option to encrypt it. (As far as I know, they don't actually list their public keys anywhere, either. So you have to use their shitty in-built encryption.)

Another thing I noticed while navigating this site was that there was nowhere I could put a PGP key in. Maybe I just missed it (which, if I did, goes to show how hard this site is to navigate) but either way, not cool.

As a customer you can store your PGP key and use it for 2FA and are able to receive auto-encrypted messages. As a vendor you are forced to use PGP and verify it in the same process. No PGP, No Vendor account. You are right that our public key is nowhere on the site, I thought about it a couple of times but didnt get a chance yet. will do it asap though. STILL.. those who wanted to message us encrypted just asked for the key, you can talk to us we are human.

Their download section is also pretty awful, dangerous, and irresponsible. They created their own PGP tool and recommend that you download an EXE from an onion site and run it on your home computer. And they fail to mention that there are already dozens of tools out there that are purpose-built for PGP, instead pushing their own shady looking tool on you. They do, however, include the source, but no MD5s to prove that the .exe listed is the same one the source code creates. the download section hasnt any importance at all, thats why it has no own section and is burried somewhere in the FAQs.

Well i know the download section is a bit misplaced on the site, which market needs a fkin downloadsection anyway? I love my little PGP tool though, so we didnt remove the section (although its burried in the faqs, so not even a real section). Its the only tool I know that is cabable of decrypting a list of pgp-messages at once, which can be a huge help especially for vendors. If you find me another tool that can accomplish this, ill be happy to dump my own one and put that on the site. I know that many people dont trust an exe (which is good), so I added the source to make it as transparent as possible. You right, no md5, i will supply it with the next update, if this unrussels your jimmies.

On top of their abysmal security practices, the admin also seems to be rude, unhelpful, and speaks rather unprofessionally.

rude: perhaps unhelpful: now youre just assuming unprofessional language: Id rather have a staff throwing a fuck you once in a while, than admins hiding behind formality talk or not making statements at all. Sorry if this offends anybody, to each their own I guess.

The marketplace itself, like, the product browser, isn't bad. It's really big and, like a lot of other things on the site, clunky and hard to use though.

"clunky and hard to use" - come on brah be real for a second

The last thing I'm gonna list here (until I find more shitty aspects of their site to bitch about) is the fact that they have a clearnet site, onionmarket.org.

Bitcoinfog has, BMR had, and probably countless others too. Please name one scenario where this could become a problem.

Edit: Looks like I was right, he can't code for shit.

we give some tasks to external devs to push the development of OS and have our ideas faster implemented, not because we are not cabable of coding ourselves.

tl;dr OP is a faggot

edit: formatting