OpenBazaar Beta 0.4.0 “Portobello” is released for Linux and OSX

Note: This blog post is outdated. Read this article for the latest code.

The fourth OpenBazaar beta has been released, named after the famed Portobello Road Market in London.

Please note this is still a beta and for users with some level of technical expertise. This isn’t a consumer ready release.

Binaries will be released soon. Windows users will need to wait for binaries. You can install beta 0.4.0 on Linux or OSX using the following instructions. For a detailed overview of the 0.4 beta client, visit this post.

We’ve also released quick start guides, visit these links for buyer, merchant, and notary.

This release includes a substantial number of new features and improvements. Most notable are the networking changes, which should allow better connectivity and largely eliminate the need for port forwarding. Also greatly improved is stability. Other improvements include:

  • Signing keys are now HD for increased privacy;
  • Internal messaging system for online parties to communicate;
  • Users can now select their avatars;
  • Images are now externally hosted and listings can support three images (including gifs);
  • Notaries can now offer refunds to buyer or release funds to seller;
  • Notaries can now set their fee (as a percentage) if their services are utilized;
  • The order workflow has been significantly improved;
  • Addition of simple walk-through on start up ;
  • Search improvements.

New Installation

If you don’t have Git installed on Linux, open terminal (Ctrl+Alt+T) and type:

sudo apt-get install git

If you don’t have Git installed for OSX, download here and install.

Now run:

git clone https://github.com/OpenBazaar/OpenBazaar.git

Once that’s complete, change directories:

cd OpenBazaar

Run the configure with this command:

./configure.sh

Please note that as of the 0.4 beta release, the default branch will be develop instead of master. This means that beta testers will receive more frequent updates if they run ‘git pull’. If you prefer to keep to the more stable releases only, then switch to the master branch by running this command:

git checkout master

To start your node:

./openbazaar start

To stop your node:

./openbazaar stop

To get help on the commands you can use with OpenBazaar:

./openbazaar help

Existing Users

If you’ve run a previous release, you need to delete your existing database:

rm db/ob.db

Run git pull:

git pull

And also run ./configure.sh again:

./configure.sh

If you find a bug, please let us know on our Github or on the bug reporting thread in our subreddit.

Read More

Detailed Overview of OpenBazaar Beta 0.4

Note: This blog post is outdated. Read this article for the latest code.

This is meant to be a comprehensive guide for the 0.4 beta client. If you want quick start guides, visit these links for buyer, merchant, and notary.

These guides assume that installation was successful and that the user can reach the client interface in their browser. If you can’t, please check the Github issues and our Help Desk to see if it’s a known issue; if not then open a new issue on the Github or ask a question at our Help Desk.

Table of Contents

  1. Settings
    1. Store Info
    2. Keys
    3. Communication
    4. Notary
    5. Advanced
    6. Backup
  2. Home
    1. Other Markets
    2. Search
    3. Chat Stream
    4. Purchasing a Product
  3. Contracts
    1. Add Contract
  4. Orders
    1. My Sales
    2. My Purchases
  5. Notarization
  6. Messages
  7. Terminal Commands
  8. Tips and Tricks

Overview

There are six tabs in the OpenBazaar client:

  1. Home
  2. Messages
  3. Orders
  4. Notarizations
  5. Contracts
  6. Settings

Settings

OBstore

In settings you have six sections to manage your client.

  1. Store Info
  2. Keys
  3. Communication
  4. Notary
  5. Advanced
  6. Backup

Store Info

In the Store Info section, you have the following options.

Store Details

  • Nickname. This is the name of your store that everyone will see on the network. You must enter a store name or it will display as “Default.”
  • Avatar URL. This allows you to choose a personalized image which is displayed along with your store. These images are externally hosted, so choose a link to an image of your choice. Avatars are optional.
  • Namecoin id. If you have a Namecoin id, you can choose to have it displayed in your profile.
  • Bitcoin Receiving Address. It is important you put in a Bitcoin address that you control. This is where funds will be released if the third party notary needs to manually release funds from multisig.
  • Store Description. Give a short description of your store here. Only supports text at the moment.

Reputation Pledge

This section displays the amount of your reputation pledge, and your proof-of-burn address. Reputation pledges are a way to intentionally burn a small amount of Bitcoin tied to your store ID in order to show others you are committed to maintaining your store reputation. In other words, someone who has made a sizeable reputation pledge is unlikely to be a scammer, since it wouldn’t be profitable for a scammer to consistently burn coins for new identities. You can learn more about reputation pledges here.

Note that during betas we don’t recommend large reputation pledges, since there’s a good chance your store may need to be updated and you will lose the identity associated with the pledge.

To make a pledge, simply send a small amount of Bitcoin to the address listed as “Proof-of-burn address.”

Shipping Information

This is where a buyer will input their shipping information. If you intend on using OpenBazaar as a buyer as well as a merchant, you should fill this section out as well.

Keys

Bitcoin Public Key (Uncompressed)

This is the uncompressed Bitcoin public key created for signing.

BIP32 Seed

The OpenBazaar client uses BIP32 to create HD keys for signing. This increases privacy by ensuring that the same key isn’t used for signing multisignature transactions. This seed should be kept private.

PGP Public Key

In order to encrypt communications over the network, each store creates a PGP key pair. This is the public key which other users’ clients use to encrypt messages sent to you.

Communication

  • Email. If you’d like to communicate with other users over email, set it here. Your email will be visible to anyone viewing your store.
  • Your Website. If you’d like to have your website URL displayed in your store, set it here.
  • Bitmessage. If you’d like to communicate with other users over Bitmessage, set it here.

Notary

Notaries are a vital part of OpenBazaar. They are the third key holder in the 2 of 3 multisig, meaning that if there is a dispute between buyer and merchant, only the notary has the power to work with one of the parties to release the funds. As such, it’s important that buyer and merchant trust the notary not to collude with the other party. In beta we recommend smaller transactions until reputable notaries emerge in the market. Since in the 0.4 beta buyers choose notaries, the burden is on the merchant to either accept the buyer’s choice of notary or contact the buyer and notary to tell them you don’t want to engage in trade with the other parties.

Trusted Notaries

This is a list of notaries that you’ve trusted. You can also add a notary manually by entering their GUID (the string of numbers and letters under their store name).

Notary Details

This section is for notaries to set up their services.

  1. Make me a notary. By clicking Yes in this section, you allow others to choose you as a notary. They will see this option when they click on your store front and see the “Services” tab, or by manually entering your GUID into the Trusted Notaries section. The default option is set to No; users aren’t notaries unless they choose to be.
  2. Fees. As a notary, you can charge a percentage fee for providing dispute resolution. If the buyer and seller finish their transaction without needing the notary, there is no payment. If the notary is needed to refund buyer or release payment to merchant, then they will receive the percentage from the multisig that they set in this section. A notaries’ fee is visible in the “Services” tab in their store front.
  3. Description of your services. Notaries can explain their terms and conditions in this area, as well as their credentials and any other information they wish to share.

Advanced

Obelisk Server

This allows the user to manually select an Obelisk (libbitcoin) server.

Developer Tools

These allow the user to clear their cache, clear the peers stored in the database, and to stop their own node.

Log

The log can be used for troubleshooting and bug reports.

Backups

You can create new backups with the “Create New Backup” button, and they will be displayed below the Backup Name section.

Home

The Home tab displays Other Markets, allows the user to search for products, and serves as a simple place to communicate via the Chat Stream.

Other Markets

merchantOB

You can view the other stores connected to you by clicking on them. Stores with a checkmark should be visible. Stores with an X were visible once, but are now offline. The client should automatically pull in new stores as they become available, but occasionally refreshing the page may help.

When viewing a store, there are three sections.

  1. Store. This displays the merchant’s products. Clicking on the image displays more details.
  2. Details. This displays information about the merchant, including their OB public key, PGP key, amount of their reputation pledge, and any communication information they’ve displayed.
  3. Services. This is only visible if the user offers notary services. If they do, it will display their percentage fee, a description of their services, and allow users to select them as notaries by clicking “Make Trusted Notary.”

Users can also contact the store owner by selecting the “Message me” or “Email me” buttons in blue underneath their name.

Search

When creating an item, merchants tag them with keywords. Buyers can then use the search bar to find items tagged with those keywords. Clicking on an item brings the users to the merchant’s store front.

Chat Stream

This is a simple chat that any node can use to communicate with all other nodes it is connected to. Note that this feature isn’t likely to scale well and will be removed in future releases.

Purchasing a Product

PipeExampleOB

If you click on an item in a store, a new window opens to give more product details, including the product title, price in Bitcoin, product description, cost of shipping and handling, quantity available, the item’s condition, and up to three photos. There is also a “Raw Contract” button which allows users to view the contract details directly.

orderdetailsOB

Clicking on “Order Details” on the bottom left will bring you to a screen that allows you to purchase the product. You can determine the quantity desired, and attach a comment for the merchant to see along with your order. If you haven’t entered your shipping address in Settings already, a red warning will ask you to do so before proceeding. The price for the product and shipping and handling are displayed again.

At the bottom the user needs to input a Bitcoin Address that they control. This will be used in case of a refund.

Once this section is completed, the user selects “Choose a Notary.” A list of online notaries that the user has trusted is displayed. If the user hasn’t trusted any notaries, or if none of those notaries are online, they must choose another notary in order to continue.

The user then completes the order by selecting “Submit Order.” This sends the order to the notary and merchant.

Contracts

mycontracts

The contracts tab is where a merchant manages their products. The merchant can create new contracts, edit existing contracts, or delete them.

Add Contract

Create Contract

  1. Click on the Contract tab.
  2. Click Add Contract.
  3. Input product details, including a title and description of your product, as well as the price (in Bitcoin), the cost of shipping, how many items are available, and what condition the items are in.
  4. Add up to three externally hosted images in the photos section.
  5. Make sure you click on the Keyword section next to Photos and input keywords that describe your product. This is how users find your items through the search function. If you don’t add keywords, your items cannot be found via search.
  6. Click Save. This publishes your product to the network.

Orders

The orders tab keeps track of the activity of buyers and merchants through the “My Sales” and “My Purchases” sections.

My Sales

If a merchant has a sale, the details of that sale are listed here. An order number is created, along with the time and date of the purchase and the buyer’s details.

sellerOB

A merchant should take the following steps once they’ve received an order.

  1. Click on the order to display details.
  2. If someone purchases your product, the item will display “Buyer Paid.” Please double check the linked multisig account in the order description to verify; at this point a buyer can mark an item as paid without actually paying.
  3. productOB

  4. Determine if you trust the notary involved. Since at this point the buyer chooses the notary, if the two parties are colluding, they can cheat you out of the Bitcoin. You can view the notary involved by clicking “Contract Details” in the item description. Early in the beta, we recommend test transactions or small transactions until trusted notaries become established.
  5. If you verify the buyer has sent the funds to multisig, and that you trust the notary, then ship the item to the buyer at the address they provided. This address is displayed in the “Shipping Information” tab when viewing the order.
  6. Once you’ve shipped the item, input your Bitcoin address into the Shipping & Payment section of the order view, where it asks “Where would you like payment sent to?”
  7. Once the buyer receives the item, they should release payment. If they don’t in a reasonable time, contact the buyer and request they release funds. If they are non-responsive, contact the notary involved in the transaction and request they release funds.

My Purchases

When a buyer views “My Purchases” it will display the status of their orders. If they’ve just submitted an order, the status will indicate “Need to Pay” and the buyer needs to open the order to complete payment.

needtopayOB

A QR code is displayed which, if scanned, will input the multisignature address and amount. If the user selects “Pay in your Wallet,” it will open a wallet on their device and pull in the same information. Once the payment is completed, the buyer must manually select “Mark as Paid.” This lets the merchant know to ship the item.

If the buyer marked the order as paid, but the merchant didn’t receive this message due to being offline, the buyer can re-open the order and click on “Resend Payment Notice” when the merchant is online.

Once the item has arrived or service is provided, the buyer can then release the funds from multisig by opening the order and selecting “Release Payment to Merchant.” Again, if the merchant didn’t receive this message due to being offline, the buyer can try releasing again when they are online.

Notarizations

Notaries manage their orders through the notarizations tab. This is the same as the My Purchases and My Sales tabs, except it tracks the contracts which the notary has been selected for.

Note that at this point, offering notary services means you automatically accept all transactions which choose you as a notary. In the future, notaries will be able to screen transactions, or only accept them manually.

If a buyer or seller contacts a notary asking for funds to be released, it’s the notary’s responsibility to do their best to determine which party should receive funds. Once they’ve made their decision and contacted the parties, they can release funds by opening up the order in the notarizations tab.

OBnotary

In the 0.4 client, the notary has two options. “Refund the Buyer” releases all the funds from multisig to the buyer, minus the percentage fee which is paid to the notary for dispute resolution. “Release money to the Merchant” does the same for the merchant. The notary must click “Send Resolution” for the transaction to process.

Messages

OBmessage

The messages tab is a place to communicate with other OpenBazaar users who are online. You can send simple messages (text only at this point) by clicking the “Send a Message” button and selecting another user from the dropdown list. Messages you’ve received can be read by clicking on them, and replied to by hitting the blue “Reply” button on the right.

Terminal Commands

For Linux and OSX users, you need to use the terminal to configure, start, and stop OpenBazaar. Here are some common commands to use.

  1. ./configure.sh This installs OpenBazaar once the code has been downloaded. After major releases, you may need to run configure again.
  2. ./openbazaar help This gives you a list of arguments you can use when launching OpenBazaar.
  3. ./openbazaar start This launches OpenBazaar.
  4. ./openbazaar stop This shuts down OpenBazaar.
  5. git pull If git is correctly installed, this will update the software if there are new changes.

Tips and Tricks

  1. Try refreshing the page occasionally if things aren’t working correctly.
  2. Wait a minute or two when first connecting to find peers. It shouldn’t take any longer than this.
  3. If you have connectivity problems, try using killall python -9 in terminal, then launch OpenBazaar again.
  4. If you receive a “Address already in use” error when starting OpenBazaar, this means the program was already running. Stop it first, then launch again.
  5. If your client crashes or has an obvious error, try looking for /logs/production.log and searching for ‘Traceback’ to see what the error was. If you don’t see anyone else posting about that error on the Github issues and our Help Desk then feel free to post along with the error and some context.

Read More

Notary’s Guide to OpenBazaar Beta 0.4

Note: This blog post is outdated. Read this article for the latest code.

For the fourth beta release, we’re issuing guides for each of the three user types in OpenBazaar: buyer, merchant, and notary. The installation instructions are the same for each user.

These guides assume that installation was successful and that the user can reach the client interface in their browser. If you can’t, please check the Github issues and our Help Desk to see if it’s a known issue; if not then open a new issue on the Github or ask a question at our Help Desk.

Quick Start Guide

This guide is meant to get notaries set up and offering their services to buyers and merchants as quickly as possible. For a detailed overview of the entire client, visit here.

Step One: Personalize your Client

Settings Tab

  1. Click the Settings tab.
  2. Enter a new Nickname for yourself. This is how other users will see you.
  3. If you want a unique image for your avatar, put in a URL for an image in the Avatar URL field.
  4. Input a Bitcoin address that you control into the Bitcoin Receiving Address field. This is where you receive funds from multisig if your services are needed.
  5. Click Save.

Step Two: Set Communication Information

communicationOB

  1. Click on the Communication section.
  2. Enter an email address if you want to communicate with other parties via email.
  3. If you have a website that you want displayed, enter the URL in the Your Web Site field.
  4. Enter a Bitmessage address if you want to communicate with other parties via Bitmessage.
  5. Click Save.

Step Three: Create Backup

backupOB

  1. Click on the Backup section.
  2. Click Create New Backup.

Step Four: Set up your Notary Details

In Settings, select the Notary section.

  1. Make me a notary. By clicking Yes in this section, you allow others to choose you as a notary. They will see this option when they click on your store front and see the “Services” tab, or by manually entering your GUID into the Trusted Notaries section. The default option is set to No; users aren’t notaries unless they choose to be.
  2. Fees. As a notary, you can charge a percentage fee for providing dispute resolution. If the buyer and seller finish their transaction without needing the notary, there is no payment. If the notary is needed to refund buyer or release payment to merchant, then they will receive the percentage from the multisig that they set in this section. A notaries’ fee is visible in the “Services” tab in their store front.
  3. Description of your services. Notaries can explain their terms and conditions in this area, as well as their credentials and any other information they wish to share.

Step Five: Manage your Orders

Note that at this point, offering notary services means you automatically accept all transactions which choose you as a notary. In the future, notaries will be able to screen transactions, or only accept them manually.

If a buyer or seller contacts a notary asking for funds to be released, it’s the notary’s responsibility to do their best to determine which party should receive funds. Once they’ve made their decision and contacted the parties, they can release funds by opening up the order in the notarizations tab.

OBnotary

In the 0.4 client, the notary has two options. “Refund the Buyer” releases all the funds from multisig to the buyer, minus the percentage fee which is paid to the notary for dispute resolution. “Release money to the Merchant” does the same for the merchant. The notary must click “Send Resolution” for the transaction to process.

Step Six: Give Feedback

To make this network and client the best it can be, we need your feedback on how to improve. Bug reports are obviously very helpful, but feedback can be about which new features you’d like to see, or changes to the interface, or anything you like. Please submit these ideas by opening up new Github issues or by posting at out Help Desk.

Read More

Merchant’s Guide to OpenBazaar Beta 0.4

Note: This blog post is outdated. Read this article for the latest code.

For the fourth beta release, we’re issuing guides for each of the three user types in OpenBazaar: buyer, merchant, and notary. The installation instructions are the same for each user. These guides assume that installation was successful and that the user can reach the client interface in their browser. If you can’t, please check the Github issues and our Help Desk to see if it’s a known issue; if not then open a new issue on the Github or ask a question at our Help Desk.

Quick Start Guide

This guide is meant to get merchants set up and offering goods and services as quickly as possible. For a detailed overview of the entire client, visit here.

Step One: Set up Store

Settings Tab

  1. Click the Settings tab.
  2. Enter a new Nickname for your store. This is how other users will see your store.
  3. If you want a unique image for your store, put in a URL for an image in the Avatar URL field.
  4. Input a Bitcoin address that you control into the Bitcoin Receiving Address field. This is where you receive funds from multisig if the notary needs to take action manually.
  5. Describe your store in the Store Description field.
  6. Click Save.

Step Two: Set Communication Information

communicationOB

  1. Click on the Communication section.
  2. Enter an email address if you want to communicate with other parties via email.
  3. If you have a website that you want displayed, enter the URL in the Your Web Site field.
  4. Enter a Bitmessage address if you want to communicate with other parties via Bitmessage.
  5. Click Save.

Step Three: Create Backup

backupOB

  1. Click on the Backup section.
  2. Click Create New Backup.

Step Four: List your Goods or Services

Create Contract

  1. Click on the Contract tab.
  2. Click Add Contract.
  3. Input product details, including a title and description of your product, as well as the price (in Bitcoin), the cost of shipping, how many items are available, and what condition the items are in.
  4. Add up to three externally hosted images in the photos section.
  5. Make sure you click on the Keyword section next to Photos and input keywords that describe your product. This is how users find your items through the search function. If you don’t add keywords, your items cannot be found via search.
  6. Click Save. This publishes your product to the network.

Step Five: Manage Trade

sellerOB

  1. Manage your sales by viewing the My Sales section under the Orders tab. If you have an order, click on it to display details.
  2. If someone purchases your product, the item will display “Buyer Paid.” Please double check the linked multisig account in the order description to verify; at this point a buyer can mark an item as paid without actually paying.
  3. productOB

  4. Determine if you trust the notary involved. Since at this point the buyer chooses the notary, if the two parties are colluding, they can cheat you out of the Bitcoin. You can view the notary involved by clicking “Contract Details” in the item description. Early in the beta, we recommend test transactions or small transactions until trusted notaries become established.
  5. If you verify the buyer has sent the funds to multisig, and that you trust the notary, then ship the item to the buyer at the address they provided. This address is displayed in the “Shipping Information” tab when viewing the order.
  6. Once you’ve shipped the item, input your Bitcoin address into the Shipping & Payment section of the order view, where it asks “Where would you like payment sent to?”
  7. Once the buyer receives the item, they should release payment. If they don’t in a reasonable time, contact the buyer and request they release funds. If they are non-responsive, contact the notary involved in the transaction and request they release funds.

Step Six: Give Feedback

To make this network and client the best it can be, we need your feedback on how to improve. Bug reports are obviously very helpful, but feedback can be about which new features you’d like to see, or changes to the interface, or anything you like. Please submit these ideas by opening up new Github issues or by posting at out Help Desk.

Read More

Buyer’s Guide to OpenBazaar Beta 0.4

Note: This blog post is outdated. Read this article for the latest code.

For the fourth beta release, we’re issuing guides for each of the three user types in OpenBazaar: buyer, merchant, and notary. The installation instructions are the same for each user. These guides assume that installation was successful and that the user can reach the client interface in their browser. If you can’t, please check the Github issues and our Help Desk to see if it’s a known issue; if not then open a new issue on the Github or ask a question at our Help Desk.

Quick Start Guide

This guide is meant to get buyers set up and shopping for goods and services as quickly as possible. For a detailed overview of the entire client, visit here.

Step One: Personalize your Client

Settings Tab

  1. Click the Settings tab.
  2. Enter a new Nickname for yourself. This is how other users will see you.
  3. If you want a unique image for your avatar, put in a URL for an image in the Avatar URL field.
  4. Input a Bitcoin address that you control into the Bitcoin Receiving Address field. This is where you receive funds from multisig if the notary needs to take action manually.
  5. Click Save.

Step Two: Set Communication Information

communicationOB

  1. Click on the Communication section.
  2. Enter an email address if you want to communicate with other parties via email.
  3. If you have a website that you want displayed, enter the URL in the Your Web Site field.
  4. Enter a Bitmessage address if you want to communicate with other parties via Bitmessage.
  5. Click Save.

Step Three: Create Backup

backupOB

  1. Click on the Backup section.
  2. Click Create New Backup.

Step Four: Find & Trust a Notary

Trusting a Notary

Notaries are a vital part of OpenBazaar. They are the third key holder in the 2 of 3 multisig, meaning that if there is a dispute between buyer and merchant, only the notary has the power to work with one of the parties to release the funds. As such, it’s important that buyer and merchant trust the notary not to collude with the other party. In beta we recommend smaller transactions until reputable notaries emerge in the market.

When viewing stores on the Home tab, look for users that offer services. This is only visible if the user offers notary services. If they do, it will display their percentage fee, a description of their services, and allow users to select them as notaries by clicking “Make Trusted Notary.” You can also manually add a notary in Settings if you know their GUID (string of letters and numbers under the store name).

Step Five: Find & Purchase Goods or Services

PipeExampleOB

If you click on an item in a store in the Home tab, a new window opens to give more product details, including the product title, price in Bitcoin, product description, cost of shipping and handling, quantity available, the item’s condition, and up to three photos. There is also a “Raw Contract” button which allows users to view the contract details directly.

orderdetailsOB

Clicking on “Order Details” on the bottom left will bring you to a screen that allows you to purchase the product. You can determine the quantity desired, and attach a comment for the merchant to see along with your order. If you haven’t entered your shipping address in Settings already, a red warning will ask you to do so before proceeding. The price for the product and shipping and handling are displayed again.

At the bottom the user needs to input a Bitcoin Address that they control. This will be used in case of a refund.

Once this section is completed, the user selects “Choose a Notary.” A list of online notaries that the user has trusted is displayed. If the user hasn’t trusted any notaries, or if none of those notaries are online, they must choose another notary in order to continue.

The user then completes the order by selecting “Submit Order.” This sends the order to the notary and merchant.

Step Six: Finish the Purchase

When a buyer views “My Purchases” it will display the status of their orders. If they’ve just submitted an order, the status will indicate “Need to Pay” and the buyer needs to open the order to complete payment.

needtopayOB

A QR code is displayed which, if scanned, will input the multisignature address and amount. If the user selects “Pay in your Wallet,” it will open a wallet on their device and pull in the same information. Once the payment is completed, the buyer must manually select “Mark as Paid.” This lets the merchant know to ship the item.

If the buyer marked the order as paid, but the merchant didn’t receive this message due to being offline, the buyer can re-open the order and click on “Resend Payment Notice” when the merchant is online.

Once the item has arrived or service is provided, the buyer can then release the funds from multisig by opening the order and selecting “Release Payment to Merchant.” Again, if the merchant didn’t receive this message due to being offline, the buyer can try releasing again when they are online.

Step Seven: Give Feedback

To make this network and client the best it can be, we need your feedback on how to improve. Bug reports are obviously very helpful, but feedback can be about which new features you’d like to see, or changes to the interface, or anything you like. Please submit these ideas by opening up new Github issues or by posting at out Help Desk.

Read More

OpenBazaar Threat Model

This blog post outlines the security model and policies of OpenBazaar. It is written for contributors with push access who are asked to review and merge pull requests, external developers who are interested in submitting pull requests, and end-users who are interested in understanding the security model of OpenBazaar. We will also be including this threat model in our project documentation, but we are sharing on our blog first to solicit feedback from our users and security experts in the field.

Every contributor with push access must read this document.

Threat model

OpenBazaar makes important assumptions about the strength of its adversaries. To understand how to properly develop code for OpenBazaar, it is crucial to understand who the adversaries of OpenBazaar can be, what resources they are able to employ, and what their goals are. Furthermore, it is important to understand what the adversaries are not capable of.

Assumed adversaries

Our adversaries can be broadly categorized as 4 different entities:

  1. Malicious users
  2. Malicious corporations
  3. Malicious governments
  4. Malicious developers

Each of these constitutes a separate entity with different resources and different goals. These are explained below.

Malicious users

A malicious user is a user who tries to break the security of OpenBazaar, usually for financial gain. We treat malicious users as game-theoretic agents who are able to invest approximately as much as they would win out of a security breach, as long as their winnings are significantly larger than their losses.

The goal of malicious users is to make money. The two primary ways of making money by breaking the security of OpenBazaar are these:

  • Being able to receive a product without making a proper payment
  • Being able to receive money without delivering a product

As these attacks are financially incentivized, there is no limit as to what capital can be invested in such attacks if it’s possible to earn it back. However, for our purposes, we assume that such attackers are limited to up-front investments of $1,000,000 per year collectively. Thus, they are not able to, for example, break the bitcoin network security, or attack 1024-bit RSA keys.

These attackers are the easiest to model, as they play within the closed OpenBazaar system and can be treated game-theoretically. Generally, in our games, these agents can be assumed to be ε-good, meaning they will not attempt a malicious strategy if there is no financial gain in it. We aim to fully protect users from such malicious actors.

Malicious corporations

Certain corporations may find the OpenBazaar network undesirable and may want to break its security in order to bring it down. Their financial incentive may not be part of the closed OpenBazaar system: They may be able to make profits outside of OpenBazaar by making OpenBazaar unreliable and insecure.

The goals of such agents are the following:

  • Bringing down the majority of OpenBazaar nodes
  • Disrupting the majority of connectivity of the OpenBazaar network
  • Breaking the trust people have on the OpenBazaar network

“Breaking the trust” here means creating arbitrary buyers and sellers that do not follow the expected strategy and default on their payments or shipping.

The incentive for such corporations may be that they are losing money because of competitive sales on the OpenBazaar network.

We currently assume that such corporations are able to spend similar monetary amounts as malicious users to attack the network.

However, malicious corporations cannot be modeled as ε-good, as they wish to cause harm on the network through external incentives. We aim to partially protect our users from such malicious actors, through reputation systems and positive margins in our nash equilibria that can decentivize such malicious actors. Reputation systems which require proof-of-burn or similar sybil-resistant schemes help in making these attacks more costly. Webs-of-trust can fully protect careful users from such malicious actors, although great care is required from the user side.

 

Malicious governments

As the OpenBazaar software can be operated worldwide, malicious governments should be taken into account. Malicious governments may wish to bring the network down for censorship reasons or for legal reasons.

The goals of such agents are similar to the goals of malicious corporations. In addition, a malicious government has the following goals:

  • Unmask the anonymity of an OpenBazaar user
  • Block certain categories of products or individual products from being traded

A malicious government has similar resources as a malicious corporation.

Malicious governments can be categorized into active and passive based on their willingness to interfere with networks. A passive government is unwilling to manipulate data as a man-in-the-middle at the network level, and is only willing to be a passive eavesdropper. An active government is happy to interfere with network traffic by manipulating it.

A passive government has access to these additional resources:

  • They can manipulate the legal framework of their country
  • They can introduce new laws
  • They can issue arbitrary subpoenas and warrants
  • They can issue secret warrants and take decisions in secret courts

An active government has, in addition, access to the following resources:

  • They can sybil-attack the issue of identification documents such as passports
  • They can man-in-the-middle Internet connections within their country (up to the Tor security assumptions)
  • They can break Internet connectivity within their country
  • They can issue arbitrary PKI certificates for HTTPS and TLS protocols

Malicious governments are the hardest attack to guard against. While our goal is to be able to defend against malicious governments, we are not able to do this currently. Our decentralization efforts are oriented around the idea that basic protection from malicious governments should be possible.

We aim to provide full protection against a passive malicious government, and partial protection against active malicious governments.

On the topic of denial-of-service attacks by breaking network connectivity completely, we do not have a mechanism of defence. We rely on the fact that countries will prefer to keep Internet connectivity for the most part of their users. Mesh networks can be used to guard against such attacks, but these are beyond the scope of our threat model.

Malicious developers

The last malicious actor is a malicious developer with commit access. These developers are manipulated by one of the above actors through law (secret subpoenas) or bribery in order to achieve their end-goals. Therefore, the goals of a malicious developer are aligned with the goals of those above.

We prefer to list this malicious actor separately, as they have access to a different arsenal of attacks.

In particular, a malicious developer has access to the following resources:

  • They can merge arbitrary pull requests, in effect writing arbitrary code

Our primary means of defence against malicious developers are secure development practices, some of which we explain later in this document.

Security assumptions

We rely on the assumption that certain systems are secure. We make the assumption that the following constituent parts of our system are secure:

  • RSA, ECDSA, SHA256, AES and the rest of the cryptographic primitives used by the software
  • GPG
  • Bitcoin
  • Namecoin
  • Tor (including its assumptions on network monitoring)
  • The browser used by the user
  • The user’s computer
  • Our implementation languages and frameworks (Python, Javascript, Angular)
  • The libraries we rely on which are listed here: https://github.com/OpenBazaar/OpenBazaar/blob/master/requirements.txt

Beta status

OpenBazaar is currently in beta and is facing multiple security issues, in addition to the assumptions above. These issues can cause your transactions to be compromised, your money not to go through or be stolen, or your products not to be delivered, even by attackers with very limited resources. We estimate that an attacker could possibly compromise the system’s security for less than a few thousand dollars. Please be careful when using OpenBazaar at this stage. If you’re using the regular bitcoin network, keep the amounts exchanged low (less than a few hundred dollars). Don’t sell your car on OpenBazaar yet!

For the beta version, we rely on the security of HTTPS and PKI. This is needed, as we rely on pip for securely fetching python packages, which relies on HTTPS. Therefore, an active malicious government is able to interfere with OpenBazaar. The specific assumptions are listed below.

However, we are interested in dropping this requirement for stable versions. We are still unsure of the distribution channels to achieve this.

As part of our beta status, we also rely on a few centralized pieces of infrastructure, all of which we would like to replace with decentralized systems. These are our assumptions for the beta version:

  • PKI is secure. CAs are not compromised or government-controlled.
  • HTTPS is secure.
  • The operators of seed servers are not interested in performing denial-of-service attacks.
  • Obelisk and the official obelisk servers are secure and their owners not malicious.
  • The official DNSChain servers are secure and their owners not malicious.

The last two requirements are strong. A user who is concerned with these last points can lift these requirements by running their own Obelisk server or using a trusted Obelisk server, which requires maintaining a bitcoin blockchain copy, and their own DNSChain server, which requires maintaining a namecoin blockchain copy. We have plans to use SVP systems as a replacement for these.

We may introduce additional points of centralization for future beta versions in order to create a working product, which we plan to lift later.

As part of our Beta status, we do not currently employ any anonymity-preserving mechanisms. All transactions are completely trackable. Therefore, malicious governments with the goal of uncovering your identity will succeed trivially.

Development infrastructure

We also rely on certain pieces of centralized infrastructure for development. Here are our assumptions about services we use for development and we assume are secure and with no malicious operators:

  • GitHub
  • Slack
  • Gmail

We also rely on OTR and GPG for secure development-related communications.

Development process

In order to guard against actors such as malicious developers, we are publishing all of the source code of OpenBazaar as open source under the MIT license. We encourage security experts to audit our code for security vulnerabilities. Don’t take our word on the security of OpenBazaar; inspect the code yourself. Don’t trust the OpenBazaar developers. While we’re doing our best to provide secure software, the reason it’s open source is so that it can be reviewed and audited.

Our development process is transparent and security-oriented. We follow certain contributing guidelines which require code reviews and follow proper release cycles. The details of our contributing procedures can be found in the CONTRIBUTING document. We don’t just make our code open source. Our reviews and commit history are also available for inspection, so that differential audits are possible.

We GPG-sign our releases with contributor keys in the strong GPG set. Currently, Dionysis Zindros signs releases. The signature signifies that the release maintainer believes the source code to be secure at the time of release, and that it was intentionally released by the team, without backdoors or intentional vulnerabilities as far as we know. These signatures are hard to fake by someone who wishes to introduce backdoors in the future. If you require strong security, do not run releases that have not been GPG-signed, or manually inspect the code. Otherwise, at least make sure your binaries and sources are at least downloaded via HTTPS.

Our decision-making procedure is transparent too. We use 2-of-4 multisig decision-making for financial decisions. The details of our transparency in decision making can be found in our transparency post.

Some of our commits are GPG-signed. The GPG-signed commits signify that:

  • The code introduced in the commit is believed to be secure by the signer
  • The parent of the commit is the currently available branch to the signer

Please note that signing a commit, contrary to popular belief, does not indicate that all the previous commits have been checked by the committer. It only indicates that the particular commit code really is written by the person who signed the commit, and this is it.

It is very easy to introduce fake commits on git and GitHub, using usernames and e-mails of existing contributors. Therefore, we prefer signing individual commits instead of tagging and signing only occassionally to show a full good history. It’s impractical to create a tag for every commit one creates.

Read More