Anyone tried installing OpenBazaar-client already?

Does it run fine and do you see any potential risk in running it in whonix-workstation?
It will just talk to openbazaar-server on another computer over SSL but still I like to make extra sure when installing anything new.

It’s in Beta so you’re probably in uncharted territory among most Whonix users.

Bitcoin always has risks. Anonymous Money
Your IP will stay anonymous from any known, published attacks against Tor.

When you publish that listing, it is sent out to the distributed p2p network of other people using OpenBazaar.

Sounds like you’ll be making many more connections than just a client-server approach. (similar to torrenting)

Don’t forget:

The server will be in p2p network for sure.
But i’m talking to it from openbazaar-client which is running from whonix-workstation

The OpenBazaar team recently posted that they are working on Tor support:

1 Like

Gotcha. Then your main vulnerabilities will be physical attacks against your VPS (assuming it’s located offsite) and weaknesses in openbazaar’s protocol.

Also, give the client a dedicated SocksPort, especially if you’ll keep it running for long periods.

Yes. But I’m mostly concerned about the client part that will be running on whonix.
VPS will be visible and vulnerable but that is ok.

I guess I’ll just have to run the client and see.
Is there a way to limit the openbazaar-client access to other parts of the OS?

Apparmor. AppArmor. Profile is DIY.

Firejail (testing). firejail / seccomp / More Options for Program Containment

And if I run it just out of the box on workstation on the default user which has sudo rights?
What it can do to the rest of the system?

As far as I know it uses node.js and chrome v8 engine or something. So basically a browser.

Given enough vulnerabilities, anything it wants.

Sorry for being facetious but no one can address as-yet undiscovered zero-days. If user permissions were all that mattered, *nix would have solved security from the get-go.

It’s open-source and all, so highly unlikely that it’s malicious but if you’re concerned, you can try AppArmor. It’s seriously annoying but it’s for your own good as they say.

Working with AppArmor generally involves:

  1. enable in Whonix: AppArmor
  2. generate profile: (easy)
  3. spend hours figuring out what all the f*(@&(*@ error messages mean…

Or just let it trash its own dedicated VM and hope that it’s not going to attempt a VM breakout. (again, highly unlikely)

1 Like