No PGP auto-encryption as market listing criteria?

We /r/DNMSuperlist mods are discussing new market listing criteria which all new market will have to fulfill to get on the superlist. If, when and how these will also be applied retroactively to currently listed markets [i.e. pushing existing markets to adopt the requirements too], is not discussed yet though.

One point is the auto PGP encryption that some markets provide. It is no secret that I am against it but others raised concerns such as that it would make new market less attractive for users [due to the seemingly convenient auto-encryption feature which would be missing]. So we want to weigh the pros and cons up to determine if it should be set as a requirement or not.

In the following the possible cases which I wrote up for the mod discussion which describe what can happen when running a dnm and how it would play out with and without pgp auto-encryption [short ae].

so please read through the post and comment if you think no ae should be listed as a requirement or not. note: the following assumes that ae was flawlessly implemented.


Case A: everything works

market does not get hacked, not seized and everything works. as we all know this does not continue forever and most markets end with drama [hack, exit scam or seizure]. so it is rather a period of time till one of the cases below happen.

if users use ae, they are either safe or can be fucked royally by the market admins if they secretly copy the plain text before encrypting it. it may seem counter-intuitive but we saw many vendors collecting addresses too. so all ae users are at the mercy of the market admins.

Case B: market gets hacked and databases compromised

it happened several times in the past and will happen in the future. if the users would have used the ae, the messages would be encrypted. if they did not they would obviously be in plain text which is why we have to push users to follow the easy pgp tutorials and preach to always encrypt sensitive information.

however the markets could [and should] encrypt all non-pgp messages any way. this can be done for example with a hard-coded key and simple symmetric encryption [which is not performance costly] in the market source code. then an attacker would need to compromise the whole site, which is much harder, to get the content of the messages.

so this means a database leak should never leak un-encrypted private messages in the first place, whether or not ae was implemented. maybe we can also discuss if such an encryption [symmetric, done by the market with the hard-coded key] should be put on the market-criteria list.

Case C: market gets hacked, whole site compromised

this means the hacker can also modify the page code. happens not as often but hugbunter has demonstrated that it occasionally happens. in such a case the ae could fire back dramatically since the hacker can simply grab the plain text before the encryption and go on a big blackmail-rampage or send the data to law enforcement.

Case D: market seizure with shutting down

law enforcement takes over the market and shuts it down. they would probably get all the messages that were not deleted already [market has to delete all messages older than 2 months according to the must-have list]. if ae worked and the market admins did not secretly circumvent it, the data encrypted with ae is not recoverable.

Case E: market seizure with taking over

law enforcement seizes the market, takes it over and continues to run it. they did it for other sites in the past and I think it is only a matter of time till they also apply these techniques to dnms. one of the first things they would do, is to de-anonymize users. focusing on ae, that would mean they would get themselves a plain text copy of the data that gets sent to the ae function which would mean a massive address collection if many people relied on the ae.


so while the cases where the ae would dramatically back-fire are not that common [market takeover, full market hack, market staff storing addresses themselves], they would hit the dnm community even harder due to us allowing ae to spread. why would users, especially new ones, take the time to learn pgp if they can just check a box?

so if we would allow ae, that would mean a dramatic increase in users using ae. sooner or later one of the situations where the ae users get fucked hard will take place and it will be a huge shit-storm because they all expected their data to be encrypted. this is also not even addressing that the whole topic of abusing pgp to not be end-to-end encrypted could spread out to other services [e.g. email providers] and then have an every bigger impact when the ae fails.

without ae, users would always know if their data is actually secure or not [talking about markets, not vendors here]. most of the users would encrypt sensitive data when we show them how easy it is and when vendors refuse orders who are not encrypted [which is not that uncommon].

so instead of having many users living in a pseudo-secure mindset, we would have the majority of users doing pgp encryption right so that they can lay back even if a market gets taken over or the other worst cases happen.

the alternative would be living perfectly fine till a nuke fucks us all up. so looking at the pros and cons, I would see us rather push for correctly done pgp encryption instead of a temporary workaround that is only waiting to become a disaster.


Comments


[6 Points] ciphersexual:

This is a good summary and a topic worth discussing.

I think it's also worth being explicit about the assumptions you are making. Namely, that the Reddit-based superlist is important enough in the dnm ecosystem to bend behavior of the markets toward your/our preferences. Does that seem accurate?

I'm not worried about a slippery slope toward dnm mods being the nanny state. But you may hear that argument.


[4 Points] istoleyourribeyes:

I would obviously pgp my messages with or without AE. I can see however that it would lead to a lot of low hanging fruit being to lazy to learn how to do it or just do it in general.

AE encryption would probably keep more people safe; however, encrypting it yourself is probably smarter.


[2 Points] trynakick:

I understand the super list, and the Reddit DNM subs generally, to have a mission of harm reduction. I get that understanding from mods (past and present).

To that end, the biggest function of the super list is a reliable source for valid market urls. If I'm new and I see market X listed on ddw and dnsstats but not Reddit, and market X has told me how secure their AE is, I will just go there. Or worse, I'll notice that Reddit has a lot of markets missing so I'll do something stupid like rely on the hidden wiki for links.

I'd propose either maintaining the status quo, or creating a 'security score' that would look like the vendor review templates. Does market support multi-sig? +1. No AE? +1. And so on with other important criteria (2FA, etc).

Harm reduction is really just about acknowledging people will engage in risky behavior and providing resources to mitigate that. Not listing markets for providing a feature that does -to some extent- protect users doesn't further the harm reduction mission as much as listing but warning.

The best analogy I can come up with right now is condoms. Not men who have sex with men have STIs. But best practice is to use condoms every time, because you can't know. Not listing AE markets is like removing the bowl of condoms from the bathroom in the bar. It's an imperfect analogy, but best I can come up with right now.

I really appreciate efforts to pull the markets to increase security, but I don't think this specific effort is the best way to do it. Thanks for looking out for the community and thinking of ways to keep us all safer.


[2 Points] Lucifer1903:

Pgp should not be done automatically


[2 Points] ice_cream4breakfast:

I really see support for both sides, I know this means vendors will not import all their customers pgp keys into their keyring. So there will be even more prvinotes and people complaining about clear text tracking info. On the other hand, it will be safer for customers addresses. Honestly though my overall opinion is that the people that are using pgp correctly will continue to do so, while the others will continue to not. I don't think markets need to make choices for people.


[2 Points] None:

For the record I am with u/wombat2combat

Still a long story to be told with all the AB data.....


[2 Points] trap_deez_nuts:

The market should auto-encrypt if no PGP message is detected but never advertise this feature. This is what Trade Route does. It encourages the user to do their own encryption since it doesn't seem to be available but still covers their ass.


[1 Points] GuruMart:

I think it should be. Itll (hopefully) force people to encrypt all of their info.


[1 Points] None:

[deleted]


[1 Points] stabBarbie:

As long as current markets adhere to the new rules


[1 Points] trynakick:

Small addendum to my previous comment. Every once-in-a-while we see someone comment, "ordering is easy, send your BTC, pick your product, enter your address and check the little encryption box". Whenever this happens the community admonishes that person and reminds them of the importance of encrypting themselves. I think encouraging people to learn proper security techniques themselves and just giving them the available market options is a better role for the super list than stringent policing.


[1 Points] throwaways_9001:

I would say the customer mix of those that have OPERATIONAL PGP keys and those that don't is 50/50, probably less.

Don't blame the markets, blame the idiots.


[1 Points] throwaway185973:

I totally agree that PGP auto-encryption is a net negative. However, I think a scheme like this would be the best of both worlds:

That way, no one is lulled into a false sense of security, and anyone ignorant/dumb enough to not heed the warnings may still get some protection from the silent auto-encryption if they're lucky.

Or, alternatively, they could just disallow any purchase message that isn't encrypted.

Do any markets do this?


[1 Points] ThrowAway20696:

Keep it simple, make new and current markets remove the auto-encrypt feature. Make sure new and current markets have a policy to remove old messages after 30 days from their databases. Finally make all markets new and old have a tutorial or at least point to tutorials on how to use PGP along with red warning messages inside their inbox.

That's it you don't need to police anything else regarding this.


[1 Points] None:

[deleted]


[1 Points] Sourcery_Market:

We will definitely be following this discussion. We did not include auto-encrypt on our market because we believe it promotes sloppy practices. Buyers should never trust that markets aren't storing the clear version (before it encrypts) somewhere - whether on purpose or inadvertently, such as through logging. Also, even if the market is trustworthy today, you never know if they might be compromised tomorrow. So we will be monitoring for people who don't autoencrypt to see what the numbers look like. But we felt that including auto-encrypt simply promotes a sloppy practice that buyers will take elsewhere and possible bring harm upon themselves.

We tried to make it so that if our market ever goes down, that the users risk is reduced as much as possible. For instance, this is why we don't offer 2 of 2 multisig. For 2 of 2 multisig, there would be two possibilities:

So we tried to make decisions, such as requiring 2 of 3 (not offering 2 of 2) and not including auto-encrypt knowing that we might lose customers who simply don't want to do the extra steps to do these things. We could include it and cover a wider audience but we decided instead that we would rather encourage the best practices at the expense of possibly losing buyers. But if we ever became unavailable, I believe all of our users would feel a bit safer. And at least vendors know they can continue every one of their transactions with their buyers and not lose their escrow.


[1 Points] DooshNozzzle:

Everybody here, including me, talks mad shit on auto-encryption anyways.. so why make that a fucking REQUIREMENT???

makes no sense to me.