summaryrefslogtreecommitdiff
path: root/content/entry
diff options
context:
space:
mode:
authorNicholas Johnson <nick@nicholasjohnson.ch>2023-02-15 00:00:00 +0000
committerNicholas Johnson <nick@nicholasjohnson.ch>2023-02-15 00:00:00 +0000
commit5c6764de2de54de8e69363902b522c147561e1337aa233d3be113ea67082eea2 (patch)
tree67c0fc6227022967cbf20f2b387baaaad6af0fa8a0e9d1213c0555c568410ff4 /content/entry
parente0ed478fb9b16000874dc7ce6d893f6370155b712059e80b708e81077740c9e7 (diff)
downloadjournal-5c6764de2de54de8e69363902b522c147561e1337aa233d3be113ea67082eea2.tar.gz
journal-5c6764de2de54de8e69363902b522c147561e1337aa233d3be113ea67082eea2.zip
Convert refs: oxen-security-fail
Diffstat (limited to 'content/entry')
-rw-r--r--content/entry/oxen-security-fail.md16
1 files changed, 3 insertions, 13 deletions
diff --git a/content/entry/oxen-security-fail.md b/content/entry/oxen-security-fail.md
index 60146c4..5ad80a0 100644
--- a/content/entry/oxen-security-fail.md
+++ b/content/entry/oxen-security-fail.md
@@ -2,24 +2,14 @@
title: "Oxen Security Fail"
date: 2021-09-28T00:00:00
draft: false
-makerefs: false
---
-Lately I've been doing research on the Oxen Privacy Tech Foundation and their various projects. On 19 September while looking at Session, I noticed getsession.org was missing the Strict-Transport-Security header[1]. So I decided to also check the security headers for oxen.io[2], lokinet.org[3], and optf.ngo[4] and what do you know, they're also missing HTTP security headers.
+Lately I've been doing research on the Oxen Privacy Tech Foundation and their various projects. On 19 September while looking at Session, I noticed getsession.org was missing the [Strict-Transport-Security header](https://securityheaders.com/?q=https%3A%2F%2Fgetsession.org&followRedirects=on). So I decided to also check the security headers for [oxen.io](https://securityheaders.com/?q=https%3A%2F%2Foxen.io&followRedirects=on), [lokinet.org](https://securityheaders.com/?q=https%3A%2F%2Flokinet.org&followRedirects=on), and [optf.ngo](https://securityheaders.com/?q=https%3A%2F%2Foptf.ngo&followRedirects=on) and what do you know, they're also missing HTTP security headers.
-The download links for each project are all vulnerable to network-level man-in-the-middle attacks[5]. They also load external resources with no CSP header. They're all missing X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. This is the web security equivalent of leaving your front door open.
+The download links for each project are all vulnerable to network-level [man-in-the-middle attacks](https://www.wikipedia.org/wiki/Man-in-the-middle_attack). They also load external resources with no CSP header. They're all missing X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. This is the web security equivalent of leaving your front door open.
When I noticed the lack of security headers on getsession.org, I emailed support@getsession.org informing them of the issue the same day. Over a week later, it's still not fixed and I have no response. How long has their website been insecure like this? I'm left wondering whether I should take OPTF and their work seriously. How can crypto projects focused primarily on privacy and security overlook basic web security? OPTF has some explaining to do.
-Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pen tester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form[6] about what all I've already found. I'll update this entry later once they respond.
+Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pen tester friend of mine to look into it for me. I'm going to contact OPTF directly through their [contact form](https://optf.ngo/contact-us/) about what all I've already found. I'll update this entry later once they respond.
# Update (2021-10-02):
I received a response the same day I contacted the OPTF. They let me know my original email to Session went to spam which is why they didn't see it. It probably got filtered because I put "URGENT" in the subject line. The issue was resolved by the next day and the CTO (Kee Jefferys) thanked me for the feedback.
-
-
-Link(s):
-[1: getsession.org security headers](https://securityheaders.com/?q=https%3A%2F%2Fgetsession.org&followRedirects=on)
-[2: oxen.io security headers](https://securityheaders.com/?q=https%3A%2F%2Foxen.io&followRedirects=on)
-[3: lokinet.org security headers](https://securityheaders.com/?q=https%3A%2F%2Flokinet.org&followRedirects=on)
-[4: optf.ngo security headers](https://securityheaders.com/?q=https%3A%2F%2Foptf.ngo&followRedirects=on)
-[5: man-in-the-middle attack](https://www.wikipedia.org/wiki/Man-in-the-middle_attack)
-[6: optf.ngo contact form](https://optf.ngo/contact-us/)