Bitcoin Forum

Something has been bothering me. So, we're all really aware of the number of hacks, attacks and thefts from Exchanges & Online Wallets across the crypto scene, and you'd think that considering that cryptocurrency is crypto first, a currency second that the larger names would have a clue about digital security on the net. But, it's pretty clear they don't.

A basic, and personally I consider, a mandatory, set of security to ensure is set when you're setting up a web frontend is the security headers- it stops a lot of common attacks (Cross Site Scripting, preventing Framing a site to stop masquerading & keylogging, enforcing HTTPS, enforcing cross-origin, etc)- and it's pretty much default in high risk sectors like Financial Services or even the big Social Network sites- and it only requires setting a few simple header values. It turns out, a lot of them don't even do this basic thing and then people end up getting screwed.

This site (https://securityheaders.io) was setup by a guy who was frustrated at the lack of Security Headers on a lot of e-commerce sites, so he came up with a really simple grading system based on whether sites have implemented adequate protection, and explains what each header does (NOTE: don't know the guy, but the site is legit from a Security and Computer Science perspective).

So, with that in mind, I decided to check some of the bigger names in Crypto. The results were:

Site	Grade	Notes
GDax (https://MyEtherWallet.com)	A+ Grade (https://securityheaders.io/?q=www.gdax.com&followRedirects=on)	The best score here and best score possible.
Kraken (https://www.kraken.com/)	A Grade (https://securityheaders.io/?q=https%3A%2F%2Fwww.kraken.com%2F&followRedirects=on)	Only thing they haven't set is the Referrer Policy- which means it potentially could leak data to another site on navigation away. Otherwise, excellent work.
BitcoinTalk (https://BitcoinTalk.org)	B Grade (https://securityheaders.io/?q=bitcointalk.org&followRedirects=on)	For a forum, this is fine, but a Referrer Policy would be a nice to have.
Cex.io (https://Cex.io)	C Grade (https://securityheaders.io/?q=https%3A%2F%2FCex.io%2F&followRedirects=on)	No STS, no CSP, no Referrer Policy- means HTTPS can potentially be circumvented, XSS is still possible and could leak information on navigation away.
Bittrex (https://www.bittrex.com/)	E Grade (https://securityheaders.io/?q=bittrex.com)	Have at least set X-Frame-Options, but still vulnerable to an XSS attack, has no CSP, and can sniff content types- not good
ShapeShift (https://shapeshift.io)	D Grade (https://securityheaders.io/?q=https://securityheaders.io/?q=https%3A%2F%2Fshapeshift.io&followRedirects=on)	Have at least set X-Frame-Options, have set the X-XSS-Protection header but are still vulnerable to some XSS edge cases, has no CSP, and can sniff content types.
Poloniex (https://poloniex.com)	C Grade (https://securityheaders.io/?q=poloniex.com&followRedirects=on)
Coinbase (https://coinbase.com)	A Grade (https://securityheaders.io/?q=https%3A%2F%2Fcoinbase.com%2F&followRedirects=on)	Only reason it's not an A+ is that it uses 'unsafe-inline' in their CSP which isn't recommended but would require someone compromising their source.
LocalBitcoin (https://LocalBitcoin.com)	C Grade (https://securityheaders.io/?q=LocalBitcoin.com&followRedirects=on)
Gemini (https://Gemini.com)	D Grade (https://securityheaders.io/?q=Gemini.com&followRedirects=on)	Seems that the Winklevoss twins can get licensed, but not set some pretty basic Security Headers. At least they have STS enabled.
Blockchain.info (https://Blockchain.info)	B Grade (https://securityheaders.io/?q=blockchain.info&followRedirects=on)	Mainly good, but could do with the Referrer Policy to not leak data about what you've been doing on their site.
MyEtherWallet (https://MyEtherWallet.com)	F Grade (https://securityheaders.io/?q=myetherwallet.com&followRedirects=on)	Literally doing nothing. Solution for the problem (move the hosting to Netlify and set headers- $0 cost) suggested to them 1 month ago. Great project, but the hosting really undermines it.

To give a comparison, this is the results for some of the bigger banks & sites on the net:

Site	Grade	Notes
Chase (JPMC) (https://chase.com)	A Grade (https://securityheaders.io/?q=chase.com&followRedirects=on)
Facebook (https://facebook.com)	A Grade (https://securityheaders.io/?q=facebook.com&followRedirects=on)
Wells Fargo (https://www.wellsfargo.com)	B Grade (https://securityheaders.io/?q=www.wellsfargo.com&followRedirects=on)	Good, not perfect, but good.
HSBC (https://hsbc.co.uk)	C Grade (https://securityheaders.io/?q=hsbc.co.uk&followRedirects=on)	Not great but there is worse...
Bank of America (https://bankofamerica.com)	D Grade (https://securityheaders.io/?q=bankofamerica.com&followRedirects=on)	... LOL
Twitter (https://twitter.com)	A Grade (https://securityheaders.io/?q=twitter.com&followRedirects=on)

Considering the money on the line, am I alone in thinking this needs to get better, quickly?

I'm really interested in everyone thoughts- including any of the site owners.

Grade F is still better than maybe 50% of the websites online on the www :-X

True- but those sites aren't handling money (and if they are, I certainly won't use them). Given the immutable nature of crypto transactions, base security is pretty key- and it's not there as a common practice. It's not exactly hard either- it's a few headers, and a bit of testing- My own site gets A+, and it took no work whatsoever beyond getting hashes of the Javascripts running on the page, and specifying any external sources for images, scripts, etc- added bonus is that I know if anyone changes anything that could hurt our site.