Are You Afraid of the Dark Web?: Ecommerce Edition October 20, 2020 by Paul Byrne Ecommerce Security eCommerce Technology ecommerce dark web privacy TOR While the Dark Web is most frequently associated with illegal activities, we learned in Part 1 (link to “Introduction” blog) that it is surprisingly accessed mostly by various individuals with innocent reasons such as maintaining privacy, security, and safety. As more and more legitimate businesses start to create a presence on the Dark Web, to either capitalize on it’s unique market or because they just value their privacy, we thought it was time to dive in and explore that process. How does one even go about setting up a shop on the Dark Web? This article is definitely not a tutorial nor have I ever personally implemented, operated or owned a TOR web store, however, I do know the steps are pretty much like setting up a store on the open web. On the dark web, common merchant issues have uncommon solutions. In addition to having a secure machine with TOR access, merchants need the following: Bitcoin to pay for services Basic understanding of encryption practices An encrypted email service (like Protonmail) Platform Selection While there are definitely online marketplaces (similar to selling on eBay or Amazon), merchants choosing to sell on the dark web would ensure their selected marketplace is not run by the FBI or the CCP. Some marketplaces even have materials that walk merchants through the process of getting started. However, many merchants will want to have their own store. To my knowledge, there are no SaaS platforms offering Dark Web stores, but building on open source (Magento, Oro, etc.) is certainly an option. Most stores I have visited appear to be custom jobs, probably programmed by the merchants themselves. Hosting Whether they use open source or write their own code, merchants need to host it somewhere. With a little searching, finding one isn’t that difficult. They will, of course, take Bitcoin and offer common services like SSH, SFTP, and so forth. Common tools of the trade like Git and Filezilla and most developer programs (IDEs) will work as well. What about URLs? The TOR server that hosts the site will generate a domain for you automatically consisting of a string of 16 randomly generated characters. A special tool called ‘Shallot’ gets a URL that is more to the liking of merchants, but takes a lot of computational power. Facebook, for example, which has a TOR site (What’s the point? Once you log in they are tracking you, but that’s none of my business) must have spent an enormous amount of money to generate their URL, which is facebookcorewwwi.onion. Site performance One big drawback of browser requests transiting through multiple servers is that it slows things down considerably. For TOR sites, small images and tersely-written code are critical. This is one reason many open source options like Magento would not work and why I believe you see so many hand-coded sites. Finding a developer Not surprisingly, there is an entire community of developers that you can pay in Bitcoin to work on your site. However, communication for English speakers may require some extra effort as many of them speak English as a second language and are located in Russia, Brazil, India, and Africa. Javascript Most people browsing the Dark Web turn off the javascript on their browsers because it is a common vector for snoopers (fraudsters and governments) to plant malware on your device. This creates a hurdle for Magento and other open-source platforms as their default themes rely on javascript to some degree. Thus, comes a need for a customized theme. Advertising How do people find merchants? Well, it’s a comfort to know that there are plenty of high-traffic sites on the Dark Web willing to sell advertising space. There are no consolidators like Adwords or Adroll. Marketing automation that relies on cookies or javascript won’t work, and merchants certainly wouldn’t want to expose their site to Marketo or Hubspot since they would lose anonymity. However, email newsletters are still an option. Reputation on the Dark Web is even more important than on the Clear Web. Online merchants with a presence on the dark web will want to sign up for a ratings and reviews service and make sure to give great customer service no matter what they are selling. The marketplaces have reviews built in. Many sellers start and build up their reputation on the marketplace and open their own storefront when their customer base merits it. Payment & Fraud Believe it or not, there are as many scammers who try to rip off stores on the Dark Web as there are on the Clear Web. Fortunately, however, cryptocurrency transactions are irreversible. Once cleared, there’s no clawing back of payments from PayPal and the bank. Buyers, of course, are aware of this. For this reason, escrow services are abound. Payment is made to a third party (the escrow company) who holds onto the funds until a specific condition is met like a product being delivered, a tracking number being submitted, and so forth. For this reason, shoppers tend to make small test purchases initially and increase them over time as they gain confidence. Sellers are wary of a new shopper that wants to make a large purchase. Many merchants limit initial purchase sizes, allowing customers to purchase more as they “prove” themselves. Getting a security cert As it turns out, this isn’t really a necessity for TOR browsing. By default, all traffic on the network is encrypted. Nonetheless, Facebook, ProPublica and other familiar companies that have onion sites do have security certificates issued by DigiCert. If online sellers are trying to keep a business fully anonymous as a supplier, they don’t need one and likely won’t be comfortable ponying up the personal information required to get one. In Conclusion As concerns about privacy become more widespread, the user-base for the Dark Web will only continue to grow. What does this mean for ecommerce? For companies that are early adopters, experimenting with this technology would allow merchants to offer security as a competitive advantage. And there’s nothing scary about that. DISCLAIMER: We do not take any responsibility for anyone using information provided in the article. The article is provided for education purposes.