Auto market encryption

Is anyone out there verifying market encryption? Setting aside whether relying on the market to encrypt is a good idea, I thought it would be a good idea to attempt verifying markets are doing what they claim. This idea occurred to me when within an encrypted message from a vendor the .onion address had been stripped out while the rest of the message remained. (This means that message was being processed by a third party prior to being encrypted, kinda diminishes encryption value IMO) I have no experience in this area but just a spot check reveals some differences between messages handled by DHL and Hansa. I took a sample message from each market and decrypted and re-encrypted with the public key provided to the market and compared.

DHL Claims ADDER AutoEncrypt v2.8.11 Message provided by server is 1,292 bytes vs 577 bytes.

Hansa Claims version GnuPG v1 Message provided by server is 1,080 bytes vs 1,088 bytes.

Hm... The message that DHL encrypted seems to have something going on. as a test, I took the plaintext DHL message and encrypted it with both my public and the vendors public key. 1,377 bytes (v 1,292 b). Close! Different implementations of PGP lead to different results, muddying waters here, but looks good to me. Another test, I took a message I had sent to a vendor and tried to decrypt it. Success! They had encrypted my plaintext with both parties public keys! Interesting, I don't recall this being disclosed at all. I'm sure there is a substantial amount of penetration testing with the ultimate goal of personal gain, have there been any tests done on market encryption? I would like to see markets disclose the exact configuration they use for peer review, but I also chase rainbows and sunshine. Hansa's GnuPG v1 is most likely a manually set tag rather than true indication of configuration, but has anyone verified this and publicly posted? Using an improperly implemented encryption is worse than no encryption at all, as the falsely increased sense of security leads to altered behaviors (for instance sending your address and personal information in the belief only the vendor can see it)


Comments


[3 Points] Morvu:

isnt it a rule to never use the markets built in encryption functions?


[2 Points] SLEvEnXVF4:

Why do they have it then? I think pgp should be enforced in order for anyone to place an order. I feel people who don't use pgp are just lazy and their opsec must be lazy all around.


[2 Points] DHL-1:

Very interesting yes.

We encrypt messages to both correspondents automatically so it is easier for somebody too see what he wrote day before if needed.

But we strongly recommend to encrypt any sensitive information yourself.

here we explained our reasoning in the past: https://www.reddit.com/r/DarkNetMarkets/comments/4q8wum/are_markets_source_code_audited_or_can_it_be/

and especially here:

https://www.reddit.com/r/DarkNetMarkets/comments/4ixof0/whoever_does_the_security_at_darknet_heroes_is_an/

We use gnupg programmatically and not a PHP pgp library.

Let us know if you have further questions regarding this topic.


[1 Points] penile_implant:

Never encrypt using a markets built in PGP. Always assume everybody is LE.

Alphabay even reccomends to not use theirs.


[1 Points] DooshNozzzle:

I would be shocked if DHL is doing anything surreptitiously. Everything about their site is organized to prevent corruption and theft, from the ground up.

That being said I still encrypt buyers' tracking #s etc with my local PGP software rather than depending on the market to encrypt it for me. I think that this is always a good idea


[1 Points] iLoveDNM:

Putting aside whether or not the market is a malicious actor, having them encrypt also assumes they are competent. Misconfigurations through negligence or ignorance are a much more likely problems (for an average user to encounter) than malicious intent. A market can only exit scam once, but a compromised database in the hands of LEA worldwide... well, what is adequate today may not be next year (or week!!).

I'm not trying to debate whether it's a good idea (it's not) because the masses won't alter their behavior anyway. I'm wondering how we can verify what we're being shown.


[1 Points] SLEvEnXVF4:

I think pgp use should be a requirement for someone to place an order. Force it's use and more people will learn how to use it and we all will be a little safer. Ordering drugs through the mail should not be taken lightly and should not be easily available to lazy people not willing to take the proper precautions.


[1 Points] Theeconomist1:

It's NEVER a good idea. You can never guarantee that the market is NOT storing or logging your plain text before encryption. It's a convenience that should not be there IMO. It's bad practice. It does NOT matter if the other end comes out encrypted. You just passed sensitive info to an entity you cannot verify nor can you be sure isn't doing something with it. Always assume the worst and act accordingly. Do not ever rely on markets to do your encrypting. Ever.


[1 Points] None:

PGP takes literally five minutes to learn, I don't understand why people have problems with it. How lazy are these people? I think the markets need to remove the encryption buttons but they won't because they don't want to lose sales.


[1 Points] SLEvEnXVF4:

Yeah but ppl are still gonna want their drugs. Therefore being forced to learn pgp. Don't wanna learn it, then go back to buying drugs on da streets.


[1 Points] exmachinalibertas:

You should just use

$ gpg --list-packets

on the message, and you can see how it's encrypted. Then you can decrypt it and see what has been altered.

Of course, none of that matters since you gave the cleartext message to the market and are just trusting that they didn't keep it.