Just bored and figured I'd get thoughts from the community. One of my biggest pet peeves with markets is that they offer to auto-encrypt for users. I honestly don't think any market should offer this functionality.
- The market could be compromised OR be compromised in the future and any sensitive communication intended to be encrypted could be intercepted by an adversary. Swapping keys would prob not be noticed.
- The market could log or otherwise store the plain text and if the market ever becomes compromised, this is a big problem.
- Even if the market is pristine and always pristine, it encourages a terribly unsafe habit that a user could take to another market, which could have the above issues and thus compromise the user's safety.
I simply don't think there is ANY good reason for a market to offer auto-encryption. Now the main argument is going to be "it's better than nothing." Well, the thing is, learning to encrypt is fucking easy. If this function isn't offered, then most people are going to fucking learn to encrypt on their own. It reinforces a shitty, terribly habit. Even if Market A is not compromised, a user who begins to rely on auto-encrypt is going to take that shitty, unsafe habit to another market which may not be safe.
My personal belief is that market admins should remove the auto-encrypt function ASAP. Don't let people feel comfortable at all with trusting markets. I cringe at the number of people who use auto-encrypt for one reason or another. Even if the market they use today is safe, what about a market that isn't safe? What if LE opens a honey pot and offers auto-encryption? I just think its not responsible. While I understand the argument that "it's better than nothing", I don't think its in the best interest of hte community personally. I don't think markets should contribute to very unsafe habits.
Just my personal opinion. Unfortunately it seems to be the norm. I wish markets would say fuck that and remove that feature and let's not make it the fucking norm. If the markets out there right now would remove this right now, then future markets would not feel that they have to offer it.
Here's the thing. What is the whole purpose of fucking encrypting sensitive information when you make an order? TO FUCKING PROTECT THAT INFORMATION FROM THE GOD DAMN MARKET!!! When you rely on auto-encrypt, then fuck it, why even fucking use PGP? Seriously, there is no god damned point to encrypting your shit (aside from perhaps a compromised vendor's account). If this is going to be the status quo, then we might as well just fucking plain text everything. Here's my address guys, fuck opsec.
Source: I'm a fed. I know this shit.
They leave auto-encryption because little babies are bartards are to lazy to figure it out. Once they want to buy something and they can't figure out PGP they get turned off buy the whole idea and just go pick up some shwag from Jamarcus on the block. It's not up to the markets to keep people safe. It's up to the individual to keep themselves safe.
Should markets hand out free test kits to customers just for signing up? It's not AB responsibility to make sure Vendor A is selling pure safe stuff. Sure, if its proven the vendor is selling dangerous shit as something else, then ban them. But its ultimately up to the individual to test their own shit to keep themselves safe.
Get it?