Are You Afraid of the Dark Web?: Ecommerce Edition
Ecommerce Security eCommerce Technology
While the Dark Web is most frequently associated with illegal activities, we learned in Part 1 (link to “Introduction” blog) that it is surprisingly accessed mostly by various individuals with innocent reasons such as maintaining privacy, security, and safety.
As more and more legitimate businesses start to create a presence on the Dark Web, to either capitalize on it’s unique market or because they just value their privacy, we thought it was time to dive in and explore that process.
How does one even go about setting up a shop on the Dark Web?
This article is definitely not a tutorial nor have I ever personally implemented, operated or owned a TOR web store, however, I do know the steps are pretty much like setting up a store on the open web.
On the dark web, common merchant issues have uncommon solutions.
In addition to having a secure machine with TOR access, merchants need the following:
- Bitcoin to pay for services
- Basic understanding of encryption practices
- An encrypted email service (like Protonmail)
While there are definitely online marketplaces (similar to selling on eBay or Amazon), merchants choosing to sell on the dark web would ensure their selected marketplace is not run by the FBI or the CCP. Some marketplaces even have materials that walk merchants through the process of getting started.
However, many merchants will want to have their own store. To my knowledge, there are no SaaS platforms offering Dark Web stores, but building on open source (Magento, Oro, etc.) is certainly an option. Most stores I have visited appear to be custom jobs, probably programmed by the merchants themselves.
Whether they use open source or write their own code, merchants need to host it somewhere. With a little searching, finding one isn’t that difficult. They will, of course, take Bitcoin and offer common services like SSH, SFTP, and so forth. Common tools of the trade like Git and Filezilla and most developer programs (IDEs) will work as well.
What about URLs? The TOR server that hosts the site will generate a domain for you automatically consisting of a string of 16 randomly generated characters. A special tool called ‘Shallot’ gets a URL that is more to the liking of merchants, but takes a lot of computational power. Facebook, for example, which has a TOR site (What’s the point? Once you log in they are tracking you, but that’s none of my business) must have spent an enormous amount of money to generate their URL, which is facebookcorewwwi.onion.
One big drawback of browser requests transiting through multiple servers is that it slows things down considerably. For TOR sites, small images and tersely-written code are critical. This is one reason many open source options like Magento would not work and why I believe you see so many hand-coded sites.
Finding a developer
Not surprisingly, there is an entire community of developers that you can pay in Bitcoin to work on your site. However, communication for English speakers may require some extra effort as many of them speak English as a second language and are located in Russia, Brazil, India, and Africa.
How do people find merchants? Well, it’s a comfort to know that there are plenty of high-traffic sites on the Dark Web willing to sell advertising space. There are no consolidators like Adwords or Adroll.
Reputation on the Dark Web is even more important than on the Clear Web. Online merchants with a presence on the dark web will want to sign up for a ratings and reviews service and make sure to give great customer service no matter what they are selling. The marketplaces have reviews built in. Many sellers start and build up their reputation on the marketplace and open their own storefront when their customer base merits it.
Payment & Fraud
Believe it or not, there are as many scammers who try to rip off stores on the Dark Web as there are on the Clear Web. Fortunately, however, cryptocurrency transactions are irreversible. Once cleared, there’s no clawing back of payments from PayPal and the bank.
Buyers, of course, are aware of this. For this reason, escrow services are abound. Payment is made to a third party (the escrow company) who holds onto the funds until a specific condition is met like a product being delivered, a tracking number being submitted, and so forth.
For this reason, shoppers tend to make small test purchases initially and increase them over time as they gain confidence. Sellers are wary of a new shopper that wants to make a large purchase. Many merchants limit initial purchase sizes, allowing customers to purchase more as they “prove” themselves.
Getting a security cert
As it turns out, this isn’t really a necessity for TOR browsing. By default, all traffic on the network is encrypted. Nonetheless, Facebook, ProPublica and other familiar companies that have onion sites do have security certificates issued by DigiCert.
If online sellers are trying to keep a business fully anonymous as a supplier, they don’t need one and likely won’t be comfortable ponying up the personal information required to get one.
As concerns about privacy become more widespread, the user-base for the Dark Web will only continue to grow. What does this mean for ecommerce? For companies that are early adopters, experimenting with this technology would allow merchants to offer security as a competitive advantage. And there’s nothing scary about that.
DISCLAIMER: We do not take any responsibility for anyone using information provided in the article. The article is provided for education purposes.