0bin vs zerobin #454

New Issue

2018-04-29T13:28:12Z

kewde commented

2018-04-29 13:28:12 +00:00

(Migrated from github.com)

https://0bin.net/ and https://zerobin.net/
both use the same source code, yet zerobin.net provides an onion domain (http://zerobinqmdqd236y.onion).

Perhaps we should consider swapping them?

https://0bin.net/ and https://zerobin.net/ both use the same source code, yet zerobin.net provides an onion domain (http://zerobinqmdqd236y.onion). Perhaps we should consider swapping them?

ghost commented

2018-04-30 05:07:40 +00:00

(Migrated from github.com)

Some facts for comparison. Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.

https://0bin.net

uses outdated nginx 1.1.19 (released on Apr 12, 2012) which contains at least 3 security vulnerabilities, jQuery, Bootstrap
Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy)
FTP uses outdated vsftpd 2.3.5 (released in December 2011), maybe vulnerable to CVE-2015-1419, and allows anonymous login
SSH uses outdated OpenSSH 5.9p1 (released in September 2011) which contains at least 4 security vulnerabilities
DNS uses outdated BIND 9.8.1-P1 (released in November 2011) which contains about 20 security vulnerabilities
Let's Encrypt RSA cert (2048 bits), expires in August 2018
supports TLSv1.0, TLSv1.1, TLSv1.2
weak DH parameter (1024 bits) for key exchange
no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
not listed on hstspreload.org
no DNSSEC

https://zerobin.net

uses CloudFlare's WAF, jQuery
Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days
supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
sets 1 Cookies (missing SameSite flag)
no OCSP Must-Staple
not listed on hstspreload.org
no DNSSEC

https://ghostbin.com

uses outdated Apache 2.4.18 (released in December 2015) which contains about 14 security vulnerabilities, jQuery, Ubuntu
Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS)
SSH used outdated OpenSSH 7.2p2 which contains about 6 security vulnerabilities when checked on May 10, 2018. There was no version information disclosed on May 27, 2018.
offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)
Let's Encrypt RSA cert (2048 bits), expires in 44 days
supports TLSv1.0, TLSv1.1, TLSv1.2, allows weak cipher suites with RC4 encryption
no OCSP Must-Staple, no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
not listed on hstspreload.org
no DNSSEC

https://privatebin.info

uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie
Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP)
SSH uses OpenSSH 7.4p1 which may contain 1 security vulnerability
DNS uses outdated BIND 9.9.5 which contains 11 security vulnerabilities
Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018
RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019
web server supports only TLSv1.2 (this is recommended nowadays)
sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies
SRI for JS is implemented which is recommended
no OCSP Must-Staple, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
listed on hstspreload.org, however, it no longer meets the requirements
Please note: privatebin.net sends everything but referrer header, while privatebin.info doesn't send most security-relevant HTTP headers. Moreover, privatebin.net doesn't set any cookies and doesn't connect to third parties.
no DNSSEC

https://hastebin.com

uses cloudflare, jQuery
Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt)
COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days
supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23)
sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com
loads JS from Google but doesn't implement Subresource Integrity (SRI)
no OCSP Must-Staple, no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection, referrers leaked
not listed on hstspreload.org
no DNSSEC

Edit (May 26, 2018): Updated findings.
Edit (May 27, 2018): Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

Some facts for comparison. **Please note that web servers which do not disclose version information can be vulnerable, too. There is no way to check this without server access.** ## https://0bin.net - uses **outdated** nginx 1.1.19 (released on Apr 12, 2012) which [contains at least 3 security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-10048/product_id-17956/version_id-176466/Nginx-Nginx-1.1.19.html), jQuery, Bootstrap - Open ports of the web server: 21 (FTP), 22 (SSH), 53 (DNS), 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy) - FTP uses **outdated** vsftpd 2.3.5 (released in December 2011), maybe vulnerable to [CVE-2015-1419](https://www.cvedetails.com/cve/CVE-2015-1419/), and **allows** anonymous login - SSH uses **outdated** OpenSSH 5.9p1 (released in September 2011) which [contains at least 4 security vulnerabilities](https://www.cvedetails.com/version/188814/Openbsd-Openssh-5.9.html) - DNS uses **outdated** BIND 9.8.1-P1 (released in November 2011) which [contains about 20 security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-121758/ISC-Bind-9.8.1.html) - Let's Encrypt RSA cert (2048 bits), expires in August 2018 - supports TLSv1.0, TLSv1.1, TLSv1.2 - **weak DH parameter (1024 bits) for key exchange** - no OCSP Must-Staple, **no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection**, referrers leaked - not listed on hstspreload.org - no DNSSEC ## https://zerobin.net - uses CloudFlare's WAF, jQuery - Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt) - COMODO ECDSA cert (256 bits), valid for dozens of different domain names, expires in 143 days - supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23) - sets 1 Cookies (missing SameSite flag) - no OCSP Must-Staple - not listed on hstspreload.org - no DNSSEC ## https://ghostbin.com - uses **outdated** Apache 2.4.18 (released in December 2015) which [contains about 14 security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/version_id-199589/Apache-Http-Server-2.4.18.html), jQuery, Ubuntu - Open ports of the web server: 22 (SSH), 80 (HTTP), 443 (HTTPS) - SSH used **outdated** OpenSSH 7.2p2 which [contains about 6 security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-194112/Openbsd-Openssh-7.2.html) when checked on May 10, 2018. There was no version information disclosed on May 27, 2018. - **offers HTTP method TRACK which introduces XST (Cross-Site-Tracing) vulnerability for some web servers, offers HTTP method CUSTOM (arbitrary HTTP methods)** - Let's Encrypt RSA cert (2048 bits), expires in 44 days - supports TLSv1.0, TLSv1.1, TLSv1.2, **allows weak cipher suites with RC4 encryption** - no OCSP Must-Staple, **no OCSP stapling, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection**, referrers leaked - not listed on hstspreload.org - no DNSSEC ## https://privatebin.info - uses nginx (version not disclosed), jQuery, Bootstrap, Debian 8 Jessie - Open ports of the web server: 22 (SSH), 25 (SMTP), 53 (DNS), 80 (HTTP), 443 (HTTPS), 587 (SMTP), 993 (IMAP) - SSH uses OpenSSH 7.4p1 which may [contain 1 security vulnerability](https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/version_id-228285/Openbsd-Openssh-7.4.html) - DNS uses **outdated** BIND 9.9.5 which [contains 11 security vulnerabilities](https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-177757/ISC-Bind-9.9.5.html) - Let's Encrypt RSA cert (4096 bits) for the web server, expires in August 2018 - RapidSSL RSA cert (4096 bits) for the mail server, expires in July 2019 - web server supports only TLSv1.2 (this is recommended nowadays) - sets 3 third-party cookies (codeclimate.com, scrutinizer-ci.com, insight.sensiolabs.com) and 13 cookies - SRI for JS is implemented which is recommended - no OCSP Must-Staple, **no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection**, referrers leaked - listed on hstspreload.org, however, it no longer meets the requirements - **Please note:** privatebin.**net** sends everything but referrer header, while privatebin.**info** doesn't send most security-relevant HTTP headers. Moreover, privatebin.**net** doesn't set any cookies and doesn't connect to third parties. - no DNSSEC ## https://hastebin.com - uses cloudflare, jQuery - Open ports of the web server: 80 (HTTP), 443 (HTTPS), 8080 (HTTP proxy), 8443 (HTTP alt) - COMODO ECDSA cert (256 bits), valid for several other domain names, expires in 138 days - supports TLSv1.0, TLSv1.1, TLSv1.2, TLSv1.3 (draft 23) - sets 1 Cookies (missing Secure flag, missing SameSite flag) and connects with ajax.googleapis.com - **loads JS from Google but doesn't implement Subresource Integrity (SRI)** - no OCSP Must-Staple, **no OCSP stapling, no HSTS, no CSP, no X-Content-Type-Options, no X-Frame-Options, no X-XSS-Protection**, referrers leaked - not listed on hstspreload.org - no DNSSEC _Edit (May 26, 2018)_: Updated findings. _Edit (May 27, 2018)_: Added further information and projects mentioned by @kewde and added hastebin.com which is also listed on privacytools.io

👍 4 😕 1

kewde commented

2018-05-25 19:10:49 +00:00

(Migrated from github.com)

@Shifterovich

kewde commented

2018-05-26 16:25:58 +00:00

(Migrated from github.com)

@infosec-handbook

Please run the same analytics for the following websites, their results will determine the order of the section.
https://ghostbin.com/
https://privatebin.info

I'm currently going to propose a replacement of 0bin with zerobin.net.
Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture).
https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

@infosec-handbook Please run the same analytics for the following websites, their results will determine the order of the section. https://ghostbin.com/ https://privatebin.info I'm currently going to propose a replacement of 0bin with zerobin.net. Then re-ordering it to: PrivateBin - ZeroBin - Ghostbin (unless your research shows a different picture). https://github.com/PrivateBin/PrivateBin/wiki/FAQ#should-i-switch-from-zerobin-to-privatebin

ghost commented

2018-05-27 06:48:38 +00:00

(Migrated from github.com)

@kewde

Please run the same analytics for the following websites

I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too.

zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins.

In a nutshell:

zerobin.net: seems to be most secure according to the results (in terms of general web server security)
privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective.
ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all
0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all
hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all

@kewde >Please run the same analytics for the following websites I added the results to the overview above. I also added hastebin.com which is currently listed on privacytools.io, too. zerobin.net seems to be the only recommendable service when I look at the results. However, since zerobin.net doesn't disclose version information we can't be 100% sure that they don't use outdated software, too. Furthermore, I didn't look at the implementation of their code for secure pastebins. In a nutshell: 1. zerobin.net: seems to be most secure according to the results (in terms of general web server security) 2. privatebin.info: SSH/DNS software may be vulnerable, however, privatebin.net sets most security-related HTTP headers. Worse are about 10 third-party connections and cookies from a privacy perspective. 3. ghostbin.com: seems to use a vulnerable Apache web server, offers broken RC4 encryption, and shouldn't be recommended at all 4. 0bin.net: seems to run mostly outdated and vulnerable software from 2011 and uses weak DH parameter for key exchange, and shouldn't be recommended at all 5. hastebin.com: all version information is filtered by cloudflare, however, most security features are disabled and there is third-party JS loaded without any checks. It shouldn't be recommended at all

👍 1

ghost commented

2018-05-27 11:26:57 +00:00

(Migrated from github.com)

Create a PR changing the order and adding some information. Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

kewde commented

2018-05-27 12:25:14 +00:00

(Migrated from github.com)

@infosec-handbook

I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections.
The actual pastebin website is the .net domain https://privatebin.net/
It's a bit unclear from your comment on which domain these third party connections are present.

Changing the privatebin url on the website to the .net domain.

@infosec-handbook I believe the 10 third-party connections are related to the .info website (privatebin.info)? - which hosts the source code, in particular the 8 unique github badges will cause third party connections. The actual pastebin website is the .net domain https://privatebin.net/ It's a bit unclear from your comment on which domain these third party connections are present. Changing the privatebin url on the website to the .net domain.

kewde commented

2018-05-27 12:29:44 +00:00

(Migrated from github.com)

Also out of curiosity - what tools are you using for the analysis?
It could perhaps be a standard procedure for analyzing websites we recommend.

Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

Also out of curiosity - what tools are you using for the analysis? It could perhaps be a standard procedure for analyzing websites we recommend. Found it: https://infosec-handbook.eu/blog/online-assessment-tools/

ghost commented

2018-05-27 14:46:14 +00:00

(Migrated from github.com)

@kewde

I believe the 10 third-party connections are related to the .info website (privatebin.info)?

Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies.

what tools are you using for the analysis?

I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

@kewde >I believe the 10 third-party connections are related to the .info website (privatebin.info)? Right. https://privatebin.net/ has 0 connections to third parties and doesn't set cookies. >what tools are you using for the analysis? I use the web services mentioned in the blog article and several well-known tools like nmap, sslyze, sslscan, dig, openssl etc. to analyze web servers.

Vincevrp commented

2019-02-28 19:46:37 +00:00

(Migrated from github.com)

Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome.

I think we shouldn't recommend it then. (#408)

> Regarding Ghostbin, we should warn users that while Ghostbin - the software - is good, ghostbin.com's security is worrisome. I think we shouldn't recommend it then. (#408)

privacytoolsIO commented

2019-05-06 06:42:09 +00:00

(Migrated from github.com)

hi guys, i've removed zerobin recently because of this message from the dev:

I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to PrivateBin : https://privatebin.info/

Source: https://sebsauvage.net/wiki/doku.php?id=php:zerobin

Seems like PrivateBin is the only choice at the moment? I've decided to link to our installation, too.
https://www.privacytools.io/providers/paste/

Should we remove Ghostbin? Replace it with something or just leave PrivateBin as the only choice?

hi guys, i've removed zerobin recently because of this message from the dev: > I dot not have time to maintain ZeroBin any more. For a more up-to-date version, please switch to PrivateBin : https://privatebin.info/ Source: https://sebsauvage.net/wiki/doku.php?id=php:zerobin Seems like PrivateBin is the only choice at the moment? I've decided to link to our installation, too. https://www.privacytools.io/providers/paste/ Should we remove Ghostbin? Replace it with something or just leave PrivateBin as the only choice?

jingofett commented

2019-05-08 17:11:39 +00:00

(Migrated from github.com)

Ghostbin now displays a message that it will be shutting down this month.

I guess PrivateBin is the only choice. Is there a way to integrate it with ShareX?

Ghostbin now displays a message that it will be shutting down this month. I guess PrivateBin is the only choice. Is there a way to integrate it with ShareX?

Spydar007 commented

2019-05-15 15:32:01 +00:00

(Migrated from github.com)

Ghostbin removed via #931