Hacker News new | past | comments | ask | show | jobs | submit login

Has the code quality improved since I was told to screw off for bringing up security?

* 2 years out of date gevent-websocket

* Year old Python-RSA, which included some worrying security bugs in that time. [0](Vulnerable to side-channel attacks on decryption and signing.)

* PyElliptic is both out of date, and actually an unmaintained library. But it's okay, it's just the OpenSSL library!

* 2 years out of date Pybitcointools, with just a few bug fixes around confirmation things are actually signed correctly.

* A year out of date pyasn1, which is the type library. Not as big a deal, but covers some constraint verification bugs. [1]

* opensslVerify is actually up to date! That's new! And exciting!

* CoffeeScript is a few versions out of date. 1.10 vs the current 1.12, which includes moving away from methods deprecated in NodeJS, problems with managing paths under Windows and compiler enhancements. Not as big a deal, but something that shouldn't be happening.

Then of course, we have the open issues that should be high on the security scope, but don't get a lot of attention.


* Disable insecure SSL cryptos [3]

* Signing fail if Thumbs.db exist [4]

* ZeroNet fails to notice broken Tor hidden services connection [5]

* ZeroNet returns 500 server error when received truncated referrer [6] (XSS issues)

* port TorManager.py to python-stem [7] i.e. Stop using out of date, unsupported libraries.

I gave up investigating at this point. Doubtless there's more to find.

As long as:

a) The author/s continues to use out-dated, unsupported libraries by directly copying them into the git repository, rather than using any sort of package management.

b) The author/s continue to simply pass security problems on to the end user

... ZeroNet is unfit for use.

As simple as that.

People have tried to help. I tried to help before the project got as expansive as it is.

But then, and now, there is little or no interest in actually fixing the problems.

ZeroNet is an interesting idea, implemented poorly.

[0] https://github.com/sybrenstuvel/python-rsa/issues/19

[1] https://github.com/etingof/pyasn1/issues/20

[3] https://github.com/HelloZeroNet/ZeroNet/issues/830

[4] https://github.com/HelloZeroNet/ZeroNet/issues/796

[5] https://github.com/HelloZeroNet/ZeroNet/issues/794

[6] https://github.com/HelloZeroNet/ZeroNet/issues/777

[7] https://github.com/HelloZeroNet/ZeroNet/issues/758

Thanks for sharing this.

It's a shame your skills weren't more appreciated.

That's a pretty deep and well thought out security audit. Are they at least making progress? For a lot of open source projects that are labours of love, it's all about getting the time and funding to work on them.

openSSLVerify is up to date. That's one more dependency than was up to date a year ago.

My problem is conversations like this one: [0], where improvements are resisted against, for being too hard.

People have tried to help improve quality and testing rigour, but they get turned away.

[0] https://github.com/HelloZeroNet/ZeroNet/issues/830

I've brought up this thread on Reddit https://www.reddit.com/r/zeronet/comments/63lvqo/has_the_cod... and the author /u/nofishme fixed a few things and introduced automation.

Can you take a look at it again? It's not my area of expertise.

It's a lot better. Steps in the right direction.

About 52% test coverage, and pip is in use for some things.

However, so long as the LIB[0] folder exists, these sorts of problems will recur.

Each of those libraries is an opportunity for problems to emerge.

However, as they're manually managed, you don't get the chance to test against future versions, to check for breakage or okays.

Out of date becomes inevitable.

[0] https://github.com/HelloZeroNet/ZeroNet/tree/master/src/lib

Well, it is better to concentrate on getting users in than to solve some small quirks.

Nobody is going to attack ZeroNet if it doesn't have users anyway.

That was OpenSSL's attitude. It resulted in harm to many more users who would've been better off with something else or with its own developers actually trying to prevent security vulnerabilities. A project advertising something to be "uncensorable" based on "crypto" or whatever should be baking security in from the start everywhere it goes. Or it's just a fraud.

You're right.

Let me quote one of the ZeroNet team members when questioned about potential hacking.

> I wasn't aware of any hackers. The only problem I have since I have been running ZeroNet for a year, is the minor problem of file size mismatch, simply because not all peers in the network have the latest version of a file.

At best, that's an unhelpful attitude. It leads to things like: [0]

[0] https://arstechnica.com/security/2017/03/firefox-gets-compla...

Nobody is going to use ZeroNet in the first place if it's not secure. "Users before security" makes no sense at all if the product you're selling is security.

How do you explain that it has a lot of users, much more than your preferred secure network?

Making front page of HN is probably enough motivation for a good portion of attackers.

Your comment is under-appreciated. This is the greatest issue facing computer security today.

It seems to be one guy working on the full project which is opensource so you could do PRs to fix it or donate money.

It's easy to point issues and not do anything to help.

I did.

We talked it over, decided I would do the test suite.

I started, found the bad practices, and showed how I could turn it into a fully automated system, new versions could be tested against, and if it works, it could output binaries for every system.

The response was, 'No don't do that. I like doing it manually. Means I can check for breakage.'

Followed by my PRs and issues being closed, and my emails bouncing.

nofish has known this, he said he will update it up to data soon.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact