From 6727c3087307c00f39f7f618f7fb1a42326595573a57d775c2da2f7ae91a6492 Mon Sep 17 00:00:00 2001 From: Nicholas Johnson Date: Thu, 28 Apr 2022 00:00:00 +0000 Subject: Initial commit --- content/post/oxen-security-fail.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 content/post/oxen-security-fail.md (limited to 'content/post/oxen-security-fail.md') diff --git a/content/post/oxen-security-fail.md b/content/post/oxen-security-fail.md new file mode 100644 index 0000000..0ab06d0 --- /dev/null +++ b/content/post/oxen-security-fail.md @@ -0,0 +1,24 @@ +--- +title: "Oxen Security Fail" +date: 2021-09-28T00:00:00 +draft: false +--- +Lately I've been doing research on the Oxen Privacy Tech Foundation and their various projects. On 19 September while looking at Session, I noticed getsession.org was missing the Strict-Transport-Security header[1]. So I decided to also check the security headers for oxen.io[2], lokinet.org[3], and optf.ngo[4] and what do you know, they're also missing HTTP security headers. + +The download links for each project are all vulnerable to network-level man-in-the-middle attacks[5]. They also load external resources with no CSP header. They're all missing X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. This is the web security equivalent of leaving your front door open. + +When I noticed the lack of security headers on getsession.org, I emailed support@getsession.org informing them of the issue the same day. Over a week later, it's still not fixed and I have no response. How long has their website been insecure like this? I'm left wondering whether I should take OPTF and their work seriously. How can crypto projects focused primarily on privacy and security overlook basic web security? OPTF has some explaining to do. + +Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pentester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form[6] about what all I've already found. I'll update this entry later once they respond. + +# Update (2021-10-02): +I received a response the same day I contacted the OPTF. They let me know my original email to Session went to spam which is why they didn't see it. It probably got filtered because I put "URGENT" in the subject line. The issue was resolved by the next day and the CTO (Kee Jefferys) thanked me for the feedback. + + +Link(s): +[1: getsession.org security headers](https://securityheaders.com/?q=https%3A%2F%2Fgetsession.org&followRedirects=on) +[2: oxen.io security headers](https://securityheaders.com/?q=https%3A%2F%2Foxen.io&followRedirects=on) +[3: lokinet.org security headers](https://securityheaders.com/?q=https%3A%2F%2Flokinet.org&followRedirects=on) +[4: optf.ngo security headers](https://securityheaders.com/?q=https%3A%2F%2Foptf.ngo&followRedirects=on) +[5: man-in-the-middle attack](https://wikiless.org/wiki/Man-in-the-middle_attack) +[6: optf.ngo contact form](https://optf.ngo/contact-us/) -- cgit v1.2.3