New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0bin vs zerobin #454

Open
kewde opened this Issue Apr 29, 2018 · 8 comments

Comments

Projects
None yet
3 participants
@kewde
Collaborator

kewde commented Apr 29, 2018

https://0bin.net/ and https://zerobin.net/
both use the same source code, yet zerobin.net provides an onion domain (http://zerobinqmdqd236y.onion).

Perhaps we should consider swapping them?

@infosec-handbook

This comment has been minimized.

Show comment
Hide comment
@infosec-handbook

infosec-handbook Apr 30, 2018

Contributor

Some facts for comparison. Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.

https://0bin.net

  • uses outdated nginx 1.1.19 (released on Apr 12, 2012) which contains at least 3 security vulnerabilities, jQuery, Bootstrap
  • Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy)
  • FTP uses outdated vsftpd 2.3.5 (released in December 2011), maybe vulnerable to CVE-2015-1419, and allows anonymous login
  • SSH uses outdated OpenSSH 5.9p1 (released in September 2011) which contains at least 4 security vulnerabilities
  • DNS uses outdated BIND 9.8.1-P1 (released in November 2011) which contains about 20 security vulnerabilities
  • Let's Encrypt RSA cert (2048 bits), expires in August 2018
  • supports TLSv1.0, TLSv1.1, TLSv1.2
  • weak DH parameter (1024 bits) for key exchange
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://zerobin.net

  • uses CloudFlare's WAF, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing SameSite flag)
  • no OCSP Must-Staple
  • not listed on hstspreload.org
  • no DNSSEC

https://ghostbin.com

  • uses outdated Apache 2.4.18 (released in December 2015) which contains about 14 security vulnerabilities, jQuery, Ubuntu
  • Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS)
  • SSH used outdated OpenSSH 7.2p2 which contains about 6 security vulnerabilities when checked on May 10, 2018. There was no version information disclosed on May 27, 2018.
  • offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)
  • Let's Encrypt RSA cert (2048 bits), expires in 44 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, allows weak cipher suites with RC4 encryption
  • no OCSP Must-Staple, no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://privatebin.info

  • uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie
  • Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP)
  • SSH uses OpenSSH 7.4p1 which may contain 1 security vulnerability
  • DNS uses outdated BIND 9.9.5 which contains 11 security vulnerabilities
  • Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018
  • RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019
  • web server supports only TLSv1.2 (this is recommended nowadays)
  • sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies
  • SRI for JS is implemented which is recommended
  • no OCSP Must-Staple, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • listed on hstspreload.org, however, it no longer meets the requirements
  • Please note: privatebin.net sends everything but referrer header, while privatebin.info doesn't send most security-relevant HTTP headers. Moreover, privatebin.net doesn't set any cookies and doesn't connect to third parties.
  • no DNSSEC

https://hastebin.com

  • uses cloudflare, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com
  • loads JS from Google but doesn't implement Subresource Integrity (SRI)
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

Edit (May 26, 2018): Updated findings.
Edit (May 27, 2018): Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

Contributor

infosec-handbook commented Apr 30, 2018

Some facts for comparison. Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.

https://0bin.net

  • uses outdated nginx 1.1.19 (released on Apr 12, 2012) which contains at least 3 security vulnerabilities, jQuery, Bootstrap
  • Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy)
  • FTP uses outdated vsftpd 2.3.5 (released in December 2011), maybe vulnerable to CVE-2015-1419, and allows anonymous login
  • SSH uses outdated OpenSSH 5.9p1 (released in September 2011) which contains at least 4 security vulnerabilities
  • DNS uses outdated BIND 9.8.1-P1 (released in November 2011) which contains about 20 security vulnerabilities
  • Let's Encrypt RSA cert (2048 bits), expires in August 2018
  • supports TLSv1.0, TLSv1.1, TLSv1.2
  • weak DH parameter (1024 bits) for key exchange
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://zerobin.net

  • uses CloudFlare's WAF, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing SameSite flag)
  • no OCSP Must-Staple
  • not listed on hstspreload.org
  • no DNSSEC

https://ghostbin.com

  • uses outdated Apache 2.4.18 (released in December 2015) which contains about 14 security vulnerabilities, jQuery, Ubuntu
  • Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS)
  • SSH used outdated OpenSSH 7.2p2 which contains about 6 security vulnerabilities when checked on May 10, 2018. There was no version information disclosed on May 27, 2018.
  • offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)
  • Let's Encrypt RSA cert (2048 bits), expires in 44 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, allows weak cipher suites with RC4 encryption
  • no OCSP Must-Staple, no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

https://privatebin.info

  • uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie
  • Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP)
  • SSH uses OpenSSH 7.4p1 which may contain 1 security vulnerability
  • DNS uses outdated BIND 9.9.5 which contains 11 security vulnerabilities
  • Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018
  • RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019
  • web server supports only TLSv1.2 (this is recommended nowadays)
  • sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies
  • SRI for JS is implemented which is recommended
  • no OCSP Must-Staple, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • listed on hstspreload.org, however, it no longer meets the requirements
  • Please note: privatebin.net sends everything but referrer header, while privatebin.info doesn't send most security-relevant HTTP headers. Moreover, privatebin.net doesn't set any cookies and doesn't connect to third parties.
  • no DNSSEC

https://hastebin.com

  • uses cloudflare, jQuery
  • Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
  • COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days
  • supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
  • sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com
  • loads JS from Google but doesn't implement Subresource Integrity (SRI)
  • no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
  • not listed on hstspreload.org
  • no DNSSEC

Edit (May 26, 2018): Updated findings.
Edit (May 27, 2018): Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde
Collaborator

kewde commented May 25, 2018

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde May 26, 2018

Collaborator

@infosec-handbook

Please run the same analytics for the following websites, their results will determine the order of the section.
https://ghostbin.com/
https://privatebin.info

I'm currently going to propose a replacement of 0bin with zerobin.net.
Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture).
https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

Collaborator

kewde commented May 26, 2018

@infosec-handbook

Please run the same analytics for the following websites, their results will determine the order of the section.
https://ghostbin.com/
https://privatebin.info

I'm currently going to propose a replacement of 0bin with zerobin.net.
Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture).
https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

@infosec-handbook

This comment has been minimized.

Show comment
Hide comment
@infosec-handbook

infosec-handbook May 27, 2018

Contributor

@kewde

Please run the same analytics for the following websites

I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too.

zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins.

In a nutshell:

  1. zerobin.net: seems to be most secure according to the results (in terms of general web server security)
  2. privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective.
  3. ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all
  4. 0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all
  5. hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all
Contributor

infosec-handbook commented May 27, 2018

@kewde

Please run the same analytics for the following websites

I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too.

zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins.

In a nutshell:

  1. zerobin.net: seems to be most secure according to the results (in terms of general web server security)
  2. privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective.
  3. ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all
  4. 0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all
  5. hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all
@Shifterovich

This comment has been minimized.

Show comment
Hide comment
@Shifterovich

Shifterovich May 27, 2018

Collaborator

Create a PR changing the order and adding some information. Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

Collaborator

Shifterovich commented May 27, 2018

Create a PR changing the order and adding some information. Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde May 27, 2018

Collaborator

@infosec-handbook

I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections.
The actual pastebin website is the .net domain https://privatebin.net/
It's a bit unclear from your comment on which domain these third party connections are present.

Changing the privatebin url on the website to the .net domain.

Collaborator

kewde commented May 27, 2018

@infosec-handbook

I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections.
The actual pastebin website is the .net domain https://privatebin.net/
It's a bit unclear from your comment on which domain these third party connections are present.

Changing the privatebin url on the website to the .net domain.

@kewde

This comment has been minimized.

Show comment
Hide comment
@kewde

kewde May 27, 2018

Collaborator

Also out of curiosity - what tools are you using for the analysis?
It could perhaps be a standard procedure for analyzing websites we recommend.

Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

Collaborator

kewde commented May 27, 2018

Also out of curiosity - what tools are you using for the analysis?
It could perhaps be a standard procedure for analyzing websites we recommend.

Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

@infosec-handbook

This comment has been minimized.

Show comment
Hide comment
@infosec-handbook

infosec-handbook May 27, 2018

Contributor

@kewde

I believe the 10 third-party connections are related to the .info website (privatebin.info)?

Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies.

what tools are you using for the analysis?

I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

Contributor

infosec-handbook commented May 27, 2018

@kewde

I believe the 10 third-party connections are related to the .info website (privatebin.info)?

Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies.

what tools are you using for the analysis?

I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment