Author

Topic: Security Standards in the Crypto Community Sites (or the lack of them sometimes) (Read 148 times)

member
Activity: 84
Merit: 16
Tru Reputation Network Pre-Sale: tru.ltd/tokensale
Grade F is still better than maybe 50% of the websites online on the www Lips sealed

True- but those sites aren't handling money (and if they are, I certainly won't use them). Given the immutable nature of crypto transactions, base security is pretty key- and it's not there as a common practice. It's not exactly hard either- it's a few headers, and a bit of testing- My own site gets A+, and it took no work whatsoever beyond getting hashes of the Javascripts running on the page, and specifying any external sources for images, scripts, etc- added bonus is that I know if anyone changes anything that could hurt our site.
copper member
Activity: 2940
Merit: 4101
Top Crypto Casino
Grade F is still better than maybe 50% of the websites online on the www Lips sealed
member
Activity: 84
Merit: 16
Tru Reputation Network Pre-Sale: tru.ltd/tokensale
Something has been bothering me. So, we're all really aware of the number of hacks, attacks and thefts from Exchanges & Online Wallets across the crypto scene, and you'd think that considering that cryptocurrency is crypto first, a currency second that the larger names would have a clue about digital security on the net. But, it's pretty clear they don't.

A basic, and personally I consider, a mandatory, set of security to ensure is set when you're setting up a web frontend is the security headers- it stops a lot of common attacks (Cross Site Scripting, preventing Framing a site to stop masquerading & keylogging, enforcing HTTPS, enforcing cross-origin, etc)- and it's pretty much default in high risk sectors like Financial Services or even the big Social Network sites- and it only requires setting a few simple header values. It turns out, a lot of them don't even do this basic thing and then people end up getting screwed.

This site was setup by a guy who was frustrated at the lack of Security Headers on a lot of e-commerce sites, so he came up with a really simple grading system based on whether sites have implemented adequate protection, and explains what each header does (NOTE: don't know the guy, but the site is legit from a Security and Computer Science perspective).

So, with that in mind, I decided to check some of the bigger names in Crypto. The results were:

SiteGradeNotes
GDaxA+ GradeThe best score here and best score possible.
KrakenA GradeOnly thing they haven't set is the Referrer Policy- which means it potentially could leak data to another site on navigation away. Otherwise, excellent work.
BitcoinTalkB GradeFor a forum, this is fine, but a Referrer Policy would be a nice to have.
Cex.ioC GradeNo STS, no CSP, no Referrer Policy- means HTTPS can potentially be circumvented, XSS is still possible and could leak information on navigation away.
BittrexE GradeHave at least set X-Frame-Options, but still vulnerable to an XSS attack, has no CSP, and can sniff content types- not good
ShapeShiftD GradeHave at least set X-Frame-Options, have set the X-XSS-Protection header but are still vulnerable to some XSS edge cases, has no CSP, and can sniff content types.
PoloniexC Grade
CoinbaseA GradeOnly reason it's not an A+ is that it uses 'unsafe-inline' in their CSP which isn't recommended but would require someone compromising their source.
LocalBitcoinC Grade
GeminiD GradeSeems that the Winklevoss twins can get licensed, but not set some pretty basic Security Headers. At least they have STS enabled.
Blockchain.infoB GradeMainly good, but could do with the Referrer Policy to not leak data about what you've been doing on their site.
MyEtherWalletF GradeLiterally doing nothing. Solution for the problem (move the hosting to Netlify and set headers- $0 cost) suggested to them 1 month ago. Great project, but the hosting really undermines it.


To give a comparison, this is the results for some of the bigger banks & sites on the net:

SiteGradeNotes
Chase (JPMC)A Grade
FacebookA Grade
Wells FargoB GradeGood, not perfect, but good.
HSBCC GradeNot great but there is worse...
Bank of AmericaD Grade... LOL
TwitterA Grade

Considering the money on the line, am I alone in thinking this needs to get better, quickly?

I'm really interested in everyone thoughts- including any of the site owners.
Jump to: