Something has been bothering me. So, we're all really aware of the number of hacks, attacks and thefts from Exchanges & Online Wallets across the crypto scene, and you'd think that considering that cryptocurrency is crypto first, a currency second that the larger names would have a clue about digital security on the net. But, it's pretty clear they don't.
A basic, and personally I consider, a mandatory, set of security to ensure is set when you're setting up a web frontend is the security headers- it stops a lot of common attacks (Cross Site Scripting, preventing Framing a site to stop masquerading & keylogging, enforcing HTTPS, enforcing cross-origin, etc)- and it's pretty much default in high risk sectors like Financial Services or even the big Social Network sites- and it only requires setting a few simple header values. It turns out, a lot of them don't even do this basic thing and then people end up getting screwed.
This site was setup by a guy who was frustrated at the lack of Security Headers on a lot of e-commerce sites, so he came up with a really simple grading system based on whether sites have implemented adequate protection, and explains what each header does (NOTE: don't know the guy, but the site is legit from a Security and Computer Science perspective).
So, with that in mind, I decided to check some of the bigger names in Crypto. The results were:
Site | Grade | Notes |
GDax | A+ Grade | The best score here and best score possible. |
Kraken | A Grade | Only thing they haven't set is the Referrer Policy- which means it potentially could leak data to another site on navigation away. Otherwise, excellent work. |
BitcoinTalk | B Grade | For a forum, this is fine, but a Referrer Policy would be a nice to have. |
Cex.io | C Grade | No STS, no CSP, no Referrer Policy- means HTTPS can potentially be circumvented, XSS is still possible and could leak information on navigation away. |
Bittrex | E Grade | Have at least set X-Frame-Options, but still vulnerable to an XSS attack, has no CSP, and can sniff content types- not good |
ShapeShift | D Grade | Have at least set X-Frame-Options, have set the X-XSS-Protection header but are still vulnerable to some XSS edge cases, has no CSP, and can sniff content types. |
Poloniex | C Grade | |
Coinbase | A Grade | Only reason it's not an A+ is that it uses 'unsafe-inline' in their CSP which isn't recommended but would require someone compromising their source. |
LocalBitcoin | C Grade | |
Gemini | D Grade | Seems that the Winklevoss twins can get licensed, but not set some pretty basic Security Headers. At least they have STS enabled. |
Blockchain.info | B Grade | Mainly good, but could do with the Referrer Policy to not leak data about what you've been doing on their site. |
MyEtherWallet | F Grade | Literally doing nothing. Solution for the problem (move the hosting to Netlify and set headers- $0 cost) suggested to them 1 month ago. Great project, but the hosting really undermines it. |
To give a comparison, this is the results for some of the bigger banks & sites on the net:
Considering the money on the line, am I alone in thinking this needs to get better, quickly?
I'm really interested in everyone thoughts- including any of the site owners.