Title: Security Standards in the Crypto Community Sites (or the lack of them sometimes)
Post by: logosobscura on February 01, 2018, 12:28:36 AM
Something has been bothering me. So, we're all really aware of the number of hacks, attacks and thefts from Exchanges & Online Wallets across the crypto scene, and you'd think that considering that cryptocurrency is crypto first, a currency second that the larger names would have a clue about digital security on the net. But, it's pretty clear they don't. A basic, and personally I consider, a mandatory, set of security to ensure is set when you're setting up a web frontend is the security headers- it stops a lot of common attacks (Cross Site Scripting, preventing Framing a site to stop masquerading & keylogging, enforcing HTTPS, enforcing cross-origin, etc)- and it's pretty much default in high risk sectors like Financial Services or even the big Social Network sites- and it only requires setting a few simple header values. It turns out, a lot of them don't even do this basic thing and then people end up getting screwed. This site (https://securityheaders.io) was setup by a guy who was frustrated at the lack of Security Headers on a lot of e-commerce sites, so he came up with a really simple grading system based on whether sites have implemented adequate protection, and explains what each header does (NOTE: don't know the guy, but the site is legit from a Security and Computer Science perspective). So, with that in mind, I decided to check some of the bigger names in Crypto. The results were: Site | Grade | Notes | GDax (https://MyEtherWallet.com) | A+ Grade (https://securityheaders.io/?q=www.gdax.com&followRedirects=on) | The best score here and best score possible. | Kraken (https://www.kraken.com/) | A Grade (https://securityheaders.io/?q=https%3A%2F%2Fwww.kraken.com%2F&followRedirects=on) | Only thing they haven't set is the Referrer Policy- which means it potentially could leak data to another site on navigation away. Otherwise, excellent work. | BitcoinTalk (https://BitcoinTalk.org) | B Grade (https://securityheaders.io/?q=bitcointalk.org&followRedirects=on) | For a forum, this is fine, but a Referrer Policy would be a nice to have. | Cex.io (https://Cex.io) | C Grade (https://securityheaders.io/?q=https%3A%2F%2FCex.io%2F&followRedirects=on) | No STS, no CSP, no Referrer Policy- means HTTPS can potentially be circumvented, XSS is still possible and could leak information on navigation away. | Bittrex (https://www.bittrex.com/) | E Grade (https://securityheaders.io/?q=bittrex.com) | Have at least set X-Frame-Options, but still vulnerable to an XSS attack, has no CSP, and can sniff content types- not good | ShapeShift (https://shapeshift.io) | D Grade (https://securityheaders.io/?q=https://securityheaders.io/?q=https%3A%2F%2Fshapeshift.io&followRedirects=on) | Have at least set X-Frame-Options, have set the X-XSS-Protection header but are still vulnerable to some XSS edge cases, has no CSP, and can sniff content types. | Poloniex (https://poloniex.com) | C Grade (https://securityheaders.io/?q=poloniex.com&followRedirects=on) | | Coinbase (https://coinbase.com) | A Grade (https://securityheaders.io/?q=https%3A%2F%2Fcoinbase.com%2F&followRedirects=on) | Only reason it's not an A+ is that it uses 'unsafe-inline' in their CSP which isn't recommended but would require someone compromising their source. | LocalBitcoin (https://LocalBitcoin.com) | C Grade (https://securityheaders.io/?q=LocalBitcoin.com&followRedirects=on) | | Gemini (https://Gemini.com) | D Grade (https://securityheaders.io/?q=Gemini.com&followRedirects=on) | Seems that the Winklevoss twins can get licensed, but not set some pretty basic Security Headers. At least they have STS enabled. | Blockchain.info (https://Blockchain.info) | B Grade (https://securityheaders.io/?q=blockchain.info&followRedirects=on) | Mainly good, but could do with the Referrer Policy to not leak data about what you've been doing on their site. | MyEtherWallet (https://MyEtherWallet.com) | F Grade (https://securityheaders.io/?q=myetherwallet.com&followRedirects=on) | Literally doing nothing. Solution for the problem (move the hosting to Netlify and set headers- $0 cost) suggested to them 1 month ago. Great project, but the hosting really undermines it. |
To give a comparison, this is the results for some of the bigger banks & sites on the net: Site | Grade | Notes | Chase (JPMC) (https://chase.com) | A Grade (https://securityheaders.io/?q=chase.com&followRedirects=on) | | Facebook (https://facebook.com) | A Grade (https://securityheaders.io/?q=facebook.com&followRedirects=on) | | Wells Fargo (https://www.wellsfargo.com) | B Grade (https://securityheaders.io/?q=www.wellsfargo.com&followRedirects=on) | Good, not perfect, but good. | HSBC (https://hsbc.co.uk) | C Grade (https://securityheaders.io/?q=hsbc.co.uk&followRedirects=on) | Not great but there is worse... | Bank of America (https://bankofamerica.com) | D Grade (https://securityheaders.io/?q=bankofamerica.com&followRedirects=on) | ... LOL | Twitter (https://twitter.com) | A Grade (https://securityheaders.io/?q=twitter.com&followRedirects=on) | |
Considering the money on the line, am I alone in thinking this needs to get better, quickly? I'm really interested in everyone thoughts- including any of the site owners.
Title: Re: Security Standards in the Crypto Community Sites (or the lack of them sometimes)
Post by: LeGaulois on February 01, 2018, 12:55:40 AM
Grade F is still better than maybe 50% of the websites online on the www :-X
Title: Re: Security Standards in the Crypto Community Sites (or the lack of them sometimes)
Post by: logosobscura on February 01, 2018, 01:34:53 AM
Grade F is still better than maybe 50% of the websites online on the www :-X
True- but those sites aren't handling money (and if they are, I certainly won't use them). Given the immutable nature of crypto transactions, base security is pretty key- and it's not there as a common practice. It's not exactly hard either- it's a few headers, and a bit of testing- My own site gets A+, and it took no work whatsoever beyond getting hashes of the Javascripts running on the page, and specifying any external sources for images, scripts, etc- added bonus is that I know if anyone changes anything that could hurt our site.
|