Market link for those who haven't seen this abomination yet
Here are my problems with Onion Market.
First off, I went to the marketplace approximately 3 hours after it was first posted on reddit, and it was already in "maintenance mode" which was unsettling for the security of the market, to say the least.
Then after a while it was functioning, so I signed up and poked around a bit and saw a few other startling things. From their FAQ:
Does Onionshop use an escrow system?
No. Even though escrow is favourable when dealing with low-reputation vendors, it brings more problems than it solves. There will always be the possibility that those funds get lost or stolen, which happened over and over in the past. In cases of good vendor/buyer-relationships, there is no point in parking the coins on a less thrustworthy spot in the middle. That is why Onionshop doesn't hold any coins at all, the customer transfers the specific amount directly to the vendors BTC-Address. Onionshop automatically keeps track on incoming payments and assigns them to the particular order, but without having access to the funds.
So apparently multisig was too hard to code? Even a traditional escrow was too hard to code? NO. EFFORT. AT ALL. Also, consider this: the site takes a fee out of all orders placed on-site. So how do they make you pay that fee without doing it automatically through escrow? They use the fucking honor system. ARE YOU SHITTING ME RIGHT NOW?!
How does Onionshop assures data security?
The best way of keeping data safe is not storing any readable data in the first place. While many customers use PGP anyway, Onionshop automatically encrypts the address-infos of those who dont use it. Not a single address is stored in plaintext on our server. Even for messages Onionshop provides a convenient way to auto-encrypt if desired, diminishing the thread of leaking data even more. The fact that Onionshop doesn't hold the bitcoins, makes it also less a target for hackers or federal investigators.
What they're basically saying is "yeah, send your unencrypted address to our server! we promise we'll encrypt it, no need for you to take any steps for your own safety!" This attitude is toxic and promotes irresponsible behavior. The address is encrypted serverside and the server admins can see it before it's encrypted and stored if they so choose.
Also, they make no effort to force you to use PGP. On one page, you can message the admins and you have the option to encrypt it. (As far as I know, they don't actually list their public keys anywhere, either. So you have to use their shitty in-built encryption.) Pic
Their download section is also pretty awful, dangerous, and irresponsible. They created their own PGP tool and recommend that you download an EXE from an onion site and run it on your home computer. And they fail to mention that there are already dozens of tools out there that are purpose-built for PGP, instead pushing their own shady looking tool on you. They do, however, include the source, but no MD5s to prove that the .exe listed is the same one the source code creates.
On top of their abysmal security practices, the admin also seems to be rude, unhelpful, and speaks rather unprofessionally. Here are some pics. In the last one it also seems he can't even stop his site from being taken down, lol.
Another thing I noticed while navigating this site was that there was nowhere I could put a PGP key in. Maybe I just missed it (which, if I did, goes to show how hard this site is to navigate) but either way, not cool.
The marketplace itself, like, the product browser, isn't bad. It's really big and, like a lot of other things on the site, clunky and hard to use though. Although, when you consider there's no escrow on site, it's totally fucked anyway.
The last thing I'm gonna list here (until I find more shitty aspects of their site to bitch about) is the fact that they have a clearnet site, onionmarket.org. I know many of you don't frown upon this, but personally, I definitely do. Much like their policies on message encryption, they seem rather lax in their security.
tl;dr Onion Market is a disgrace, and it is the opinion of me and my lawyers that the head admin should sodomize himself with a retractable baton
I started laughing at the *.exe file.