Why you should NOT use Alphabay's PGP auto-encrypt feature.

Today I was meditating about online OPSEC and I figured out some of the reasons with you should NOT use Alphabay's, or any other market's, auto-encrypt feature when submitting your address to your vendor.

The purpose of using PGP yourself is because it is secure as an END to END encryption that doesn't depend on any third party. The message is encrypted before you even transmit any data via your internet connection, and anything that goes over the network is PGP encrypted all the way to the vendor's computer when he decrypts your message using his private key. However, if you use a market's auto-encrypt feature, this doesn't apply anymore. Two reasons why this is not secure.

First, your computer is going to send your message over your internet connection in clear text, all the way to Alphabay's hidden server. Granted, it will still be encrypted as part of TOR's default encryption, but it won't be PGP encrypted as an extra layer of protection. This is the first not-so-secure thing.

Second, who knows if the markets don't keep some log or backup copy of your cleartext message before encrypting it with the pgp key and submitting it to your vendor. As such, this entire auto-encryption process may be completely useless if there is any trace of your cleartext message left on the market server.

I kept it nice and sweet. Stay safe out there.


Comments


[12 Points] endedbytheknife:

The way I explained it to someone is that you and the vendor are kids in school writing personal notes to each other. You have different schedules so you use a courier to pass the notes. If you don't seal the note in an envelope, you dont know what the courrier might do with it. they can xerox it, show it to other people, or just be plain stupid and read it before getting it to the other person.

same with you, ab, and vendor. You can write whatever you want, if you don't encrypt (seal the letter), ab and their server might do what you dont want it to do.


[2 Points] g2n:

One thing to note (I don't use Alphabay) but it's just possible that encryption is done client side using Javascript. If you really wanted to do some investigation, you can confirm this by checking the browser console for what scripts are loaded, and then verify that your message is encrypted when transmitting over the wire with Wireshark.


[1 Points] sneakyexe:

Going to ask the important question. Why the 🦆 were you meditating about online OPSEC wtf?


[1 Points] soyuka:

Same goes for Dream Market or any market providing such feature.


[1 Points] 420NSWGreat:

Kimble didn't add server side encryption on Evolution for a reason. If the server is seized, it can be turned into a honey-pot.


[1 Points] apploutloud:

Why AB specifically? You should always encrypt yourself on any market and never use online encryption.


[1 Points] Musicprotocol:

I have kind of thought this was pretty obvious to most people, if the webserver is encrypting back-end then the server can easily pass the data in to a db before encrypting.... also if someone was on the same network as you they could also Man in the middle you pretty easily and capture that data.... though I am fairly certain markets and TOR sites in general enforce encryption.... though again there are ways to push traffic off SSL and make it plain text... Another thing that could be very easily happening is that whomever implemented the "tick to encrypt" function could of simply added their own public key to the encryption.. and I mean.. why wouldnt they? nobody would be any wiser (though I think there are ways to see based on the size of the encrypted output if it was encrypted using just one public key or 2...im not entirely sure) and I mean.. If I were running a site like this I'd be fairly tempted to do such a thing so I could more easily resolve issues later.. but of course I wouldnt because it would be immoral and deceptive... but in the world of darknet market... trust no one.
What they SHOULD do.. is have an optional client side encryption function written in java script... that loads up in a sandboxed page.. If they made the entire functionality for pgp encryption 100% client side java script in a seperate page anyone could inspect the code and see clearly if it was sending any data, and if it popped up in a new window with a different domain you can easily add an exception to your "no scripts" browser plugin that you ALL should be running. this to me would be much better, I would even use a simple browser plugin that shows ALL remote traffic from that domain so I could be certain that its all just a clientside function and nothing is sent to/from... sorry if this whole comment rambled on a bit... I just did a few too many lines of some fire coke and ... I just kept going... and going... fuck why did I decide to test that gear here at home alone on a friday night... god damn.


[0 Points] CrankyBulb:

Unless you're buying weight it doesn't even matter anyway


[-4 Points] BFCDNM:

WOW BREAKING NEWS