ClosedBazaar

TL;DR: Do not use the allegedly forthcoming “OpenBazaar” unless you like security and privacy vulnerabilities.


So there’s an outfit backed by some venture capitalists supposedly creating an open source P2P client for private, secure online purchases (think “distributed version of Silk Road). Interesting idea.

Until you hit their web site. It absolutely requires lots of javascript and Flash to work.

I can tolerate some javascript. Depends on where it’s coming from. But any site that requires Flash is an instant no-go. It doesn’t instill a great deal of confidence in the privacy and security of the OB client. Sure, being open source will let people look for vulnerabilities. But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.

Great Ghu…

I sent OpenBazaar.com an email explaining those objections to all those vulnerabilities. I just received a reply from “Brian Hoffman”:

“Ok peace. You can go get the client from GitHub directly and avoid the marketing site. Your style of browsing the web isn’t the only one so we’ll continue to do things the way we see fit, but thanks for the heads up. Everyone is free to do what they like and so are you.”

Apparently he doesn’t get “But the demonstrated preference for web hazards doesn’t bode well for them minimizing vulnerabilities in the first place, or fixing them in a timely matter in the second place.”. My problem isn’t the marketing site. It’s what the marketing site tells me about the nonchalant security attitude of people professing to build a private, secure product.

So I replied to Hoffman:

My “style of browsing” (i.e.- Linux, Pale Moon, NoScript, Flash blocking, etc) is exactly what is used by tech-savvy people, who would want a secure, private OpenBazaar client, use. Except the ones who go even farther with dedicated machines running through multiple proxies, and so on and so forth.

The Internet Exploder users who don’t care about Flash and scripting (and security and privacy) aren’t looking for an OB product. They’ll just use Etsy, eBay, Craigslist, and Cousin Charlie’s girlfriend’s best friend’s contact. You should probably take another look at your targeted demographic.

Hoffman’s answer:

Our product is not just targeted at the niche audience that is anarchic, libertarian, highly technical users.* Sorry to disappoint you. Probably want to look elsewhere.

Well, yeah. That I won’t be looking at his little security violation was my point.

I gather that Hoffman is a programming type. Maybe those VCs should provide somemone with a better grasp of public relations to screen email. Not to mention someone with a clue regarding demographic targeting. And while I might be a little sensitive to rudeness and cluelessnes, Claire Wolfe was also… impressed by Hoffman’s shortfalls.

OB might turn out to be a decent product, despite some incredibly questionable security decisions by the developers. But I doubt it. If it does, it will only be after months to years of vetting by the anarchic, libertarian, highly technical open source community; most of whom just might look at this and decide its simply to risky to even bother vetting.


* OB is based on Bitcoin. Pretty much by definition that severely limits OB to highly technical users interested in privacy and security.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s