Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0bin vs zerobin #454

Closed
kewde opened this issue Apr 29, 2018 · 13 comments
Closed

0bin vs zerobin #454

kewde opened this issue Apr 29, 2018 · 13 comments

Comments

@kewde
Copy link
Contributor

@kewde kewde commented Apr 29, 2018

https://0bin.net/ and https://zerobin.net/
both use the same source code, yet zerobin.net provides an onion domain (http://zerobinqmdqd236y.onion).

Perhaps we should consider swapping them?

@infosec-handbook
Copy link
Contributor

@infosec-handbook infosec-handbook commented Apr 30, 2018

Some facts for comparison. Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.

https://0bin.net

  • uses outdated nginx 1.1.19 (released on Apr 12, 2012) which contains at least 3 security vulnerabilities, jQuery, Bootstrap
  • Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy)
  • FTP uses outdated vsftpd 2.3.5 (released in December 2011), maybe vulnerable to CVE-2015-1419, and allows anonymous login
  • SSH uses outdated OpenSSH 5.9p1 (released in September 2011) which contains at least 4 security vulnerabilities
  • DNS uses outdated BIND 9.8.1-P1 (released in November 2011) which contains about 20 security vulnerabilities
  • Let's Encrypt RSA cert (2048 bits), expires in August 2018
  • supports TLSv1.0, TLSv1.1, TLSv1.2
  • weak DH parameter (1024 bits) for key exchange
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://zerobin.net

  • uses CloudFlare's WAF, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing SameSite flag)
  • no OCSP Must-Staple
  • not listed on hstspreload.org
  • no DNSSEC

https://ghostbin.com

  • uses outdated Apache 2.4.18 (released in December 2015) which contains about 14 security vulnerabilities, jQuery, Ubuntu
  • Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS)
  • SSH used outdated OpenSSH 7.2p2 which contains about 6 security vulnerabilities when checked on May 10, 2018. There was no version information disclosed on May 27, 2018.
  • offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)
  • Let's Encrypt RSA cert (2048 bits), expires in 44 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, allows weak cipher suites with RC4 encryption
  • no OCSP Must-Staple, no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://privatebin.info

  • uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie
  • Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP)
  • SSH uses OpenSSH 7.4p1 which may contain 1 security vulnerability
  • DNS uses outdated BIND 9.9.5 which contains 11 security vulnerabilities
  • Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018
  • RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019
  • web server supports only TLSv1.2 (this is recommended nowadays)
  • sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies
  • SRI for JS is implemented which is recommended
  • no OCSP Must-Staple, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • listed on hstspreload.org, however, it no longer meets the requirements
  • Please note: privatebin.net sends everything but referrer header, while privatebin.info doesn't send most security-relevant HTTP headers. Moreover, privatebin.net doesn't set any cookies and doesn't connect to third parties.
  • no DNSSEC

https://hastebin.com

  • uses cloudflare, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com
  • loads JS from Google but doesn't implement Subresource Integrity (SRI)
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

Edit (May 26, 2018): Updated findings.
Edit (May 27, 2018): Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

@kewde
Copy link
Contributor Author

@kewde kewde commented May 25, 2018

@Shifterovich

@kewde
Copy link
Contributor Author

@kewde kewde commented May 26, 2018

@infosec-handbook

Please run the same analytics for the following websites, their results will determine the order of the section.
https://ghostbin.com/
https://privatebin.info

I'm currently going to propose a replacement of 0bin with zerobin.net.
Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture).
https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

@infosec-handbook
Copy link
Contributor

@infosec-handbook infosec-handbook commented May 27, 2018

@kewde

Please run the same analytics for the following websites

I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too.

zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins.

In a nutshell:

  1. zerobin.net: seems to be most secure according to the results (in terms of general web server security)
  2. privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective.
  3. ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all
  4. 0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all
  5. hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all
@ghost
Copy link

@ghost ghost commented May 27, 2018

Create a PR changing the order and adding some information. Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

@kewde
Copy link
Contributor Author

@kewde kewde commented May 27, 2018

@infosec-handbook

I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections.
The actual pastebin website is the .net domain https://privatebin.net/
It's a bit unclear from your comment on which domain these third party connections are present.

Changing the privatebin url on the website to the .net domain.

@kewde
Copy link
Contributor Author

@kewde kewde commented May 27, 2018

Also out of curiosity - what tools are you using for the analysis?
It could perhaps be a standard procedure for analyzing websites we recommend.

Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

@infosec-handbook
Copy link
Contributor

@infosec-handbook infosec-handbook commented May 27, 2018

@kewde

I believe the 10 third-party connections are related to the .info website (privatebin.info)?

Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies.

what tools are you using for the analysis?

I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

@Vincevrp
Copy link
Contributor

@Vincevrp Vincevrp commented Feb 28, 2019

Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

I think we shouldn't recommend it then. (#408)

@BurungHantu1605
Copy link
Collaborator

@BurungHantu1605 BurungHantu1605 commented May 6, 2019

hi guys, i've removed zerobin recently because of this message from the dev:

I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to PrivateBin : https://privatebin.info/

Source: https://sebsauvage.net/wiki/doku.php?id=php:zerobin

Seems like PrivateBin is the only choice at the moment? I've decided to link to our installation, too.
https://www.privacytools.io/providers/paste/

Should we remove Ghostbin? Replace it with something or just leave PrivateBin as the only choice?

@jingofett
Copy link

@jingofett jingofett commented May 8, 2019

Ghostbin now displays a message that it will be shutting down this month.

I guess PrivateBin is the only choice. Is there a way to integrate it with ShareX?

@Spydar007
Copy link
Contributor

@Spydar007 Spydar007 commented May 15, 2019

Ghostbin removed via #931

@blacklight447-ptio
Copy link
Collaborator

@blacklight447-ptio blacklight447-ptio commented Aug 9, 2019

as we now list privatebin, this issue seems outdated, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
7 participants
You can’t perform that action at this time.