💾 Archived View for nicholasjohnson.ch › 2021 › 09 › 28 › oxen-security-fail captured on 2024-08-18 at 18:42:18. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2024-07-08)

-=-=-=-=-=-=-

 _  _ _    _        _              _     _                      
| \| (_)__| |_  ___| |__ _ ___  _ | |___| |_  _ _  ___ ___ _ _  
| .` | / _| ' \/ _ \ / _` (_-< | || / _ \ ' \| ' \(_-</ _ \ ' \ 
|_|\_|_\__|_||_\___/_\__,_/__/  \__/\___/_||_|_||_/__/\___/_||_|

🔗 Return to homepage

📆 September 28, 2021 | ⏱️ 2 minute read | 🏷️ computing

Oxen Security Fail

Lately I've been doing research on the Oxen Privacy Tech Foundation and their various projects. On 19 September while looking at Session, I noticed getsession.org was missing the Strict-Transport-Security header¹. So I decided to also check the security headers for oxen.io², lokinet.org³, and optf.ngo⁴ and what do you know, they're also missing HTTP security headers.

The download links for each project are all vulnerable to network-level man-in-the-middle attacks⁵. They also load external resources with no CSP header. They're all missing X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. This is the web security equivalent of leaving your front door open.

When I noticed the lack of security headers on getsession.org, I emailed support@getsession.org informing them of the issue the same day. Over a week later, it's still not fixed and I have no response. How long has their website been insecure like this? I'm left wondering whether I should take OPTF and their work seriously. How can crypto projects focused primarily on privacy and security overlook basic web security? OPTF has some explaining to do.

Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pen tester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form⁶ about what all I've already found. I'll update this entry later once they respond.

Update (2021-10-02):

I received a response the same day I contacted the OPTF. They let me know my original email to Session went to spam which is why they didn't see it. It probably got filtered because I put "URGENT" in the subject line. The issue was resolved by the next day and the CTO (Kee Jefferys) thanked me for the feedback.

References

🔗 [1]: Strict-Transport-Security header

🔗 [2]: oxen.io

🔗 [3]: lokinet.org

🔗 [4]: optf.ngo

🔗 [5]: man-in-the-middle attacks

🔗 [6]: contact form

Copyright © 2020-2024 Nicholas Johnson. CC BY-SA 4.0.