Is anyone out there verifying market encryption? Setting aside whether relying on the market to encrypt is a good idea, I thought it would be a good idea to attempt verifying markets are doing what they claim. This idea occurred to me when within an encrypted message from a vendor the .onion address had been stripped out while the rest of the message remained. (This means that message was being processed by a third party prior to being encrypted, kinda diminishes encryption value IMO) I have no experience in this area but just a spot check reveals some differences between messages handled by DHL and Hansa. I took a sample message from each market and decrypted and re-encrypted with the public key provided to the market and compared.
DHL Claims ADDER AutoEncrypt v2.8.11 Message provided by server is 1,292 bytes vs 577 bytes.
Hansa Claims version GnuPG v1 Message provided by server is 1,080 bytes vs 1,088 bytes.
Hm... The message that DHL encrypted seems to have something going on. as a test, I took the plaintext DHL message and encrypted it with both my public and the vendors public key. 1,377 bytes (v 1,292 b). Close! Different implementations of PGP lead to different results, muddying waters here, but looks good to me. Another test, I took a message I had sent to a vendor and tried to decrypt it. Success! They had encrypted my plaintext with both parties public keys! Interesting, I don't recall this being disclosed at all. I'm sure there is a substantial amount of penetration testing with the ultimate goal of personal gain, have there been any tests done on market encryption? I would like to see markets disclose the exact configuration they use for peer review, but I also chase rainbows and sunshine. Hansa's GnuPG v1 is most likely a manually set tag rather than true indication of configuration, but has anyone verified this and publicly posted? Using an improperly implemented encryption is worse than no encryption at all, as the falsely increased sense of security leads to altered behaviors (for instance sending your address and personal information in the belief only the vendor can see it)
isnt it a rule to never use the markets built in encryption functions?