* 2 years out of date gevent-websocket
* Year old Python-RSA, which included some worrying security bugs in that time. (Vulnerable to side-channel attacks on decryption and signing.)
* PyElliptic is both out of date, and actually an unmaintained library. But it's okay, it's just the OpenSSL library!
* 2 years out of date Pybitcointools, with just a few bug fixes around confirmation things are actually signed correctly.
* A year out of date pyasn1, which is the type library. Not as big a deal, but covers some constraint verification bugs. 
* opensslVerify is actually up to date! That's new! And exciting!
* CoffeeScript is a few versions out of date. 1.10 vs the current 1.12, which includes moving away from methods deprecated in NodeJS, problems with managing paths under Windows and compiler enhancements. Not as big a deal, but something that shouldn't be happening.
Then of course, we have the open issues that should be high on the security scope, but don't get a lot of attention.
* Disable insecure SSL cryptos 
* Signing fail if Thumbs.db exist 
* ZeroNet fails to notice broken Tor hidden services connection 
* ZeroNet returns 500 server error when received truncated referrer  (XSS issues)
* port TorManager.py to python-stem  i.e. Stop using out of date, unsupported libraries.
I gave up investigating at this point. Doubtless there's more to find.
As long as:
a) The author/s continues to use out-dated, unsupported libraries by directly copying them into the git repository, rather than using any sort of package management.
b) The author/s continue to simply pass security problems on to the end user
... ZeroNet is unfit for use.
As simple as that.
People have tried to help. I tried to help before the project got as expansive as it is.
But then, and now, there is little or no interest in actually fixing the problems.
ZeroNet is an interesting idea, implemented poorly.
It's a shame your skills weren't more appreciated.
My problem is conversations like this one: , where improvements are resisted against, for being too hard.
People have tried to help improve quality and testing rigour, but they get turned away.
Can you take a look at it again? It's not my area of expertise.
About 52% test coverage, and pip is in use for some things.
However, so long as the LIB folder exists, these sorts of problems will recur.
Each of those libraries is an opportunity for problems to emerge.
However, as they're manually managed, you don't get the chance to test against future versions, to check for breakage or okays.
Out of date becomes inevitable.
Nobody is going to attack ZeroNet if it doesn't have users anyway.
> I wasn't aware of any hackers. The only problem I have since I have been running ZeroNet for a year, is the minor problem of file size mismatch, simply because not all peers in the network have the latest version of a file.
At best, that's an unhelpful attitude. It leads to things like: 
It's easy to point issues and not do anything to help.
We talked it over, decided I would do the test suite.
I started, found the bad practices, and showed how I could turn it into a fully automated system, new versions could be tested against, and if it works, it could output binaries for every system.
The response was, 'No don't do that. I like doing it manually. Means I can check for breakage.'
Followed by my PRs and issues being closed, and my emails bouncing.