Enable HSTS headers on your SSL domain

[rstormsf]

I don't see any reason why you don't have it enabled

curl -s -D- https://www.myetherwallet.com/ | grep -i Strict

I would expect something like:

Strict-Transport-Security: max-age=63072000

and I'd also want to have it at chrome://net-internals#hsts

We have to protect the people against MiTM attacks with SSLstrip

[tayvano]

The way we ensure the security of users is by never saving / storing / transmitting sensitive information. If we were sending anything sensitive, you can sure as hell bet we wouldn't rely on SSL alone to do so.

A man in the middle could capture:

• Addresses

• Already signed transactions

• Current gas price

• Nonce of a given address

• Current balance of an account

That said, we used to have http://www or http:// (I can't remember which) allowed so that those who wanted to connect to their own node that may not have an SSL cert could do so. It doesn't look like that's happening anymore and frankly those advanced users can download the repo if they want to do that so I guess we should probably just look into this.

As an aside, we are still working on our EV SSL cert since apparently you need a bunch of real-world shit before you can get one and we have limited real-world shit since we live in eth-world. Pain in my ass. 🤦

@kvhnuke thoughts? worth doing this?

[Zwilla]

Try our server and let me know how secure you will find that: https://mytokenwallet.com/#secutiry We where running there also mew. I think more security on connection is not possible atm. And most time more secure than to run local on a windows bspc

@kvhnuke tssss, what words from a lady :)

p.s if it takes a long time to connect to our server means nsa give up to listen

A man in the middle could modify:

• the hole js file,
• inject code
• by this way copy your private key
• and so on

[tayvano]

This is why I need more people around me educating my ass. Alright I'll move to high priority. If anyone can get me an up-to-date guide on setting up with AWS, I may be able to do it myself quicket since @kvhnuke is ignoring me again >.>

[Zwilla]

Cloudflare is: THE MAN IN THE MIDDLE. Cloudflare is serving services to absolute illegal websites, to money laundering websites and so on.

[tayvano]

I am aware. They are better at namecheap Google Twitter slack godaddy bluehost and site5 and every other fucker at actually turning off access to phishing \ malicious sites. They've always responded with 24 hours. Namecheap has never once responded. Ever. Not even to trademark takedowns. 😡

We don't use cloudflare tho.

[tayvano]

Oh also, I signed up for some thing that you have to sign up for to enable this on aws. Hopefully the wait won't be too long

[Zwilla]

let me know, what?

[rstormsf]

@tayvano I am not sure what is your web server. According to https://builtwith.com/?https%3a%2f%2fmyetherwallet.com%2f you are using nginx, so I'd recommend to go thru those steps:

https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/

Thank you for doing it.

According to Builtwith.com, you are using CloudFlare

[ianabray]

@tayvano Digging this issue back up. I take it you're using Github pages for hosting right? (@rstormsf that's why it shows as Cloudflare btw). Really should move away from GH pages- it's designed for blogs and wikis, not production sites for crypto because the headers are impossible to change.

To give you an idea of how exposed myetherwallet.com is, here is a report from a really cool little site: MEW report

Essentially, with the current headers, the following can be done pretty easily:

1) Clickjacking because of a lack of a X-Frame-Options header - create an HTML page with MEW in an iFrame on the site, and capture all the information going into the fields. This is a big one and whilst we are playing whack a rat with fake URLs, this is a really easy way for them to exploit MEW users.

2) Cross-site scripting attacks because of a lack of a X-XSS-Protection - similar vector to 1, but again, vulnerable and a nasty vector.

As for alternatives to GitHub Pages, we use netlify.com (shouldn't need more than the free tier for MEW)- it supports setting headers and uses git branches or tags to select how to push it. Using them, and setting all the headers the result we get is: Example of a Good Report.

I’ve setup up a demo on a fork of the current GHPages commit in this Netlify Header Demo and as you can see A+ across the board for adding two files (a _headers file and a _redirects file) in this Demo Report. Zero issues with the site, no errors, all good- and has a Content Security Policy and a better caching policy.

If you want, I'll raise the pull request but you'll need to setup a Netlify account. Can do this for V4 as well if you want.

[rstormsf]

@theoriginaltrubador I'm big fan of netlify