Full security report

[EdOverflow]

Introduction

The following is a report on the general security of https://gratipay.com/. I hope by sharing this we can get more people involved in improving the security of the website and keep track of what is done and needs doing.

On top of that, this should ensure we only get valuable reports on HackerOne, rather than ones demonstrating a theoretical risk.

Note: None of these issues are security vulnerabilities.

Table of Contents

1. Authentication
2. User data
3. Sanitization of input
4. Best practices

1. Authentication

• [ ] Set httpOnly cookies.

2. User data

• [ ] Edit email/payments feature should be accompanied by a verification email to the owner of the account.

3. Security headers

• [x] Add CSP header.
• [x] Add HSTS header.
• [ ] Add gratipay.com to the HSTS Preload List.
• [ ] Add SRI.

4. Sanitization of input

• [ ] Sanitize user input for special cases like robots.txt as profile names.

5. Best practices

Use Cloudflare for DDoS mitigation. See https://github.com/gratipay/inside.gratipay.com/issues/957#issuecomment-286136583

• [ ] Set up Scumblr.

[chadwhitacre]

This and #4262 are awesome, @EdOverflow. For this one in particular it seems that https://github.com/gratipay/inside.gratipay.com/issues/789 might overlap.

[chadwhitacre]

What are the big take-aways from "Learning From A Year of Security Breaches" for us? Credential rolling (https://github.com/gratipay/inside.gratipay.com/issues/159) and better logging are the two things I see there.

Now I find "Starting Up Security: From Scratch" from the same author—a wealth of information! I haven't digested it yet ...

P.S. I also found "Infosec Underpinnings" by Collin Greene to be helpful.

[EdOverflow]

@whit537 I will invest some time in evaluating every issue and writing a full report on every aspect of Gratipay's security. This means I will need some information from you and the team. That way I will understand how the platform operates and will be able to write an entire report for Gratipay's users and team.

Would you be fine with me making this a priority?

[chadwhitacre]

Hopefully it's ultimately up to you to set your own priorities around here. :-)

I do think we want to avoid losing the forest for the trees. The challenge with security as I see it is to prioritize risks and dedicate resources to resolving the biggest risks first. That means having a comprehensive, big picture view that we can use to assess and make decisions against. Reacting to H1 reports is really just the beginning.

Can we use Google Docs or Etherpad to collaboratively edit a security roadmap? We could also use Markdown and Git with a page on inside.gratipay.com like we do for the product roadmap. The point though is that roadmapping and prioritizing are really an ongoing exercise, not a one-time thing.

I think the more you can write your report in public the better. It's better if the rest of us can see your thought process unfold as it happens, rather than you working behind closed doors to emerge with a giant document that you're super-invested in and the rest of us have to take on board somehow. Small batches! Release early and often! :-)

With that, I say go for it! :-)

[EdOverflow]

I agree with every point you raised.

I do think we want to avoid losing the forest for the trees. The challenge with security as I see it is to prioritize risks and dedicate resources to resolving the biggest risks first. That means having a comprehensive, big picture view that we can use to assess and make decisions against. Reacting to H1 reports is really just the beginning.

My plan is to create a clear threat model. This will allow security researchers and the Gratipay team to focus on the most critical security issues. The different areas of the platform will be divided into sections determined by a score.

Can we use Google Docs or Etherpad to collaboratively edit a security roadmap?

Since you have already set up Etherpad, we may as well use that.

[chadwhitacre]

I simply constructed the link and nothing else, pads are there for you automatically at whatever URL you choose. Good place to start, anyway! :-)

[chadwhitacre]

Interesting post on "GitHub's post-CSP journey."

[EdOverflow]

Fascinating read! Thank you for sharing @whit537.

[EdOverflow]

Re: Actually, I would like to use the repository's Wiki to allow everyone to contribute to the development. @whit537 Would it be possible to allow me to edit Gratipay's GitHub Wiki?

[chadwhitacre]

Can we use Inside Gratipay to avoid multiple sources of truth?

http://inside.gratipay.com/howto/manage-risk

[EdOverflow]

Can we use Inside Gratipay to avoid multiple sources of truth?

OK, that sounds like a compromise. :)

[chadwhitacre]

@EdOverflow What's the status of this ticket relative to recent updates to our program? Anything left to do here or can we close?

[EdOverflow]

@whit537 Now that we have updated our policy, we do not have to worry about duplicate reports for these issues. (We do not accept these type of issues anymore.) But I would still like to make sure that we resolve some of the issues above or add the listed security features at some point.

[chadwhitacre]

Can we reticket specific items rather than holding them in this meta-ticket?

[EdOverflow]

@whit537 Good idea. I will do that. :smiley: