_     __             __              
  ___  (_)___/ /__ ___ ___  / /  ___ _______ 
 / _ \/ / __/  '_/(_-</ _ \/ _ \/ -_) __/ -_)
/_//_/_/\__/_/\_\/___/ .__/_//_/\__/_/  \__/ 

Lately I've been doing research on the Oxen Privacy Tech Foundation and their various projects. On 19 September while looking at Session, I noticed getsession.org was missing the Strict-Transport-Security header[1]. So I decided to also check the security headers for oxen.io[2], lokinet.org[3], and optf.ngo[4] and what do you know, they're also missing HTTP security headers.

The download links for each project are all vulnerable to network-level man-in-the-middle attacks[5]. They also load external resources with no CSP header. They're all missing X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Permissions-Policy. This is the web security equivalent of leaving your front door open.

When I noticed the lack of security headers on getsession.org, I emailed support@getsession.org informing them of the issue the same day. Over a week later, it's still not fixed and I have no response. How long has their website been insecure like this? I'm left wondering whether I should take OPTF and their work seriously. How can crypto projects focused primarily on privacy and security overlook basic web security? OPTF has some explaining to do.

Their sites may have other security vulnerabilities I'm unaware of. I'm no web pentester and I have no interest in pursuing it further. I may ask a pentester friend of mine to look into it for me. I'm going to contact OPTF directly through their contact form[6] about what all I've already found. I'll update this entry later once they respond.

Update (2021-10-02):

I received a response the same day I contacted the OPTF. They let me know my original email to Session went to spam which is why they didn't see it. It probably got filtered because I put "URGENT" in the subject line. The issue was resolved by the next day and the CTO (Kee Jefferys) thanked me for the feedback.


1: getsession.org security headers

2: oxen.io security headers

3: lokinet.org security headers

4: optf.ngo security headers

5: man-in-the-middle attack

6: optf.ngo contact form

Unless otherwise noted, the writing in this journal is licensed under CC BY-SA 4.0.

Copyright 2019-2021 Nicholas Johnson