Has the code quality improved since I was told to screw off for bringing up security?
* 2 years out of date gevent-websocket
* Year old Python-RSA, which included some worrying security bugs in that time. [0](Vulnerable to side-channel attacks on decryption and signing.)
* PyElliptic is both out of date, and actually an unmaintained library. But it's okay, it's just the OpenSSL library!
* 2 years out of date Pybitcointools, with just a few bug fixes around confirmation things are actually signed correctly.
* A year out of date pyasn1, which is the type library. Not as big a deal, but covers some constraint verification bugs. [1]
* opensslVerify is actually up to date! That's new! And exciting!
* CoffeeScript is a few versions out of date. 1.10 vs the current 1.12, which includes moving away from methods deprecated in NodeJS, problems with managing paths under Windows and compiler enhancements. Not as big a deal, but something that shouldn't be happening.
Then of course, we have the open issues that should be high on the security scope, but don't get a lot of attention.
Like:
* Disable insecure SSL cryptos [3]
* Signing fail if Thumbs.db exist [4]
* ZeroNet fails to notice broken Tor hidden services connection [5]
* ZeroNet returns 500 server error when received truncated referrer [6] (XSS issues)
* port TorManager.py to python-stem [7] i.e. Stop using out of date, unsupported libraries.
I gave up investigating at this point. Doubtless there's more to find.
As long as:
a) The author/s continues to use out-dated, unsupported libraries by directly copying them into the git repository, rather than using any sort of package management.
b) The author/s continue to simply pass security problems on to the end user
... ZeroNet is unfit for use.
As simple as that.
People have tried to help. I tried to help before the project got as expansive as it is.
But then, and now, there is little or no interest in actually fixing the problems.
ZeroNet is an interesting idea, implemented poorly.
That's a pretty deep and well thought out security audit. Are they at least making progress? For a lot of open source projects that are labours of love, it's all about getting the time and funding to work on them.
That was OpenSSL's attitude. It resulted in harm to many more users who would've been better off with something else or with its own developers actually trying to prevent security vulnerabilities. A project advertising something to be "uncensorable" based on "crypto" or whatever should be baking security in from the start everywhere it goes. Or it's just a fraud.
Let me quote one of the ZeroNet team members when questioned about potential hacking.
> I wasn't aware of any hackers. The only problem I have since I have been running ZeroNet for a year, is the minor problem of file size mismatch, simply because not all peers in the network have the latest version of a file.
At best, that's an unhelpful attitude. It leads to things like: [0]
Nobody is going to use ZeroNet in the first place if it's not secure. "Users before security" makes no sense at all if the product you're selling is security.
We talked it over, decided I would do the test suite.
I started, found the bad practices, and showed how I could turn it into a fully automated system, new versions could be tested against, and if it works, it could output binaries for every system.
The response was, 'No don't do that. I like doing it manually. Means I can check for breakage.'
Followed by my PRs and issues being closed, and my emails bouncing.
* 2 years out of date gevent-websocket
* Year old Python-RSA, which included some worrying security bugs in that time. [0](Vulnerable to side-channel attacks on decryption and signing.)
* PyElliptic is both out of date, and actually an unmaintained library. But it's okay, it's just the OpenSSL library!
* 2 years out of date Pybitcointools, with just a few bug fixes around confirmation things are actually signed correctly.
* A year out of date pyasn1, which is the type library. Not as big a deal, but covers some constraint verification bugs. [1]
* opensslVerify is actually up to date! That's new! And exciting!
* CoffeeScript is a few versions out of date. 1.10 vs the current 1.12, which includes moving away from methods deprecated in NodeJS, problems with managing paths under Windows and compiler enhancements. Not as big a deal, but something that shouldn't be happening.
Then of course, we have the open issues that should be high on the security scope, but don't get a lot of attention.
Like:
* Disable insecure SSL cryptos [3]
* Signing fail if Thumbs.db exist [4]
* ZeroNet fails to notice broken Tor hidden services connection [5]
* ZeroNet returns 500 server error when received truncated referrer [6] (XSS issues)
* port TorManager.py to python-stem [7] i.e. Stop using out of date, unsupported libraries.
I gave up investigating at this point. Doubtless there's more to find.
As long as:
a) The author/s continues to use out-dated, unsupported libraries by directly copying them into the git repository, rather than using any sort of package management.
b) The author/s continue to simply pass security problems on to the end user
... ZeroNet is unfit for use.
As simple as that.
People have tried to help. I tried to help before the project got as expansive as it is.
But then, and now, there is little or no interest in actually fixing the problems.
ZeroNet is an interesting idea, implemented poorly.
[0] https://github.com/sybrenstuvel/python-rsa/issues/19
[1] https://github.com/etingof/pyasn1/issues/20
[3] https://github.com/HelloZeroNet/ZeroNet/issues/830
[4] https://github.com/HelloZeroNet/ZeroNet/issues/796
[5] https://github.com/HelloZeroNet/ZeroNet/issues/794
[6] https://github.com/HelloZeroNet/ZeroNet/issues/777
[7] https://github.com/HelloZeroNet/ZeroNet/issues/758