Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ADDITION] Add Arcano (https://arcano.app) #3

Open
christianwengert opened this issue Apr 6, 2022 · 8 comments
Open

[ADDITION] Add Arcano (https://arcano.app) #3

christianwengert opened this issue Apr 6, 2022 · 8 comments
Assignees
Labels
enhancement New feature or request

Comments

@christianwengert
Copy link

Explain why it should be added

Arcano is an end-to-end encrypted file transfer service. All data is encrypted in the browser of the sender and only decrypted in the browser of the receiver. Arcano never has access to the keys of the users and can thus not access any of the files. Metadata such as filename are also encrypted.
Furthermore, we offer a free tier, where one can register to Arcano using only an email address. No credit card or other personal data is stored.

Additional Context

Arcano should go into the "File Drop" category.

Content (optional)

Arcano has been developed for lawyers and other professional secret carriers but can be used by anybody who cares about his privacy. This is why we made it our highest priority to have as little knowledge as possible about the lawyers and their clients. Arcano can never access the files that are being transferred or the metadata about this file (e.g. filename).

The files are encrypted using 256 bit AES with GCM.


NOTES:

  • Before submitting, check that there isn't a similar open issue already
  • Please create a new issue for each separate/ stand-alone point you'd like added to the list
  • If you are confident in your abilities, you can also write the point yourself, and submit it as a PR
  • Thank you for your suggestion, it's because of contributors like yourself that this project can exist
@christianwengert christianwengert added the enhancement New feature or request label Apr 6, 2022
@Lissy93
Copy link
Owner

Lissy93 commented Apr 10, 2022

Heya @christianwengert - Thanks for the suggestion, it looks cool!
It's open source, right? I couldn't find a link the the GitHub repo, if it's available could you share the link pls?

@Lissy93
Copy link
Owner

Lissy93 commented Apr 10, 2022

Also, in the interest of transparency, are you associated with this project in any way (past or present, paid or unpaid)?

Although I do appreciate all the detailed info provided, it does read a bit like an advert! ;)

@christianwengert
Copy link
Author

Dear @Lissy93
Full disclaimer: I am the author or this tool (paid? not really :).

As the code as such is JS anyway, sources can be checked by everyone, we do not have any obfuscation in place to hinder users looking at it. Releasing this in a GH Repo is on our todo list, but we did not yet have the time to properly package it.

Sorry for writing the description like an advert :) . Nevertheless I think Arcano would fit here quite well, because privacy is certainly the most important feature of this tool

@Lissy93
Copy link
Owner

Lissy93 commented Apr 11, 2022

Hiya @christianwengert
Thanks for the transparency :)
I've tried it out, awesome project. But "sources can be checked by everyone" only applies to client-side code, and still doesn't really count as open source.

Unlike the other file share apps on the list, the security cannot be verified, and this app cannot be self-hosted. And with it being a for-profit company, with only 3 free transfers, I'm not sure if it's a good fit for a list of free and open projects.
I guess if you've got a published security audit, then an exception to the open source thing can be made.

@Lissy93
Copy link
Owner

Lissy93 commented Apr 11, 2022

When trying it out, couple of things jumped out at me. Some small areas for improvement:

Keep your dependencies up-to-date, looks like you've got some vulnerabilities in there. Maybe Synk-bot / Dependabot might help. https://snyk.io/test/website-scanner/?test=220411_BiDcSV_FB

According to the cookie popup, you've got Google Analytics (which isn't really private at all). But this isn't mentioned in the privacy policy. I also noticed Plausible and GTM being loaded into certain pages. The app doesn't seem to respect DNT either.

The "I read and accept the Terms and Privacy Policy" in the sign up form doesn't actually link to the privacy policy, and when I found it didn't seem very complete. There's also things like "Then we take the liberty to inform you about new offers from us via the given e-mail address." make it sound like they might spam you.

With the 2FA, there's no way to refresh the token if it ever get compromised. The token's QR code is always available for logged in users at: https://arcano.app/qrcode_2fa It would also be nice to view the plaintext token, instead of just a QR (otherwise users may turn to a free QR to text converter, and have their token compromised).

There don't seem to be any limits to incorrect pin/ password attempts, and without any password strength indicators there could be some easy to crack passwords.

It's also possible to hit the endpoints from outside of your domain, I can get valid response using a web server on localhost:8008. Maybe in the production environment you should set a CSP header on the backend to only accept requests from arcano.app domains.

There's a couple other headers you should check too. Are you loading mixed content anywhere? If not, could set the Strict-Transport-Security header to force HTTPS. And since the app allows users to upload + share PDFs, maybe you should also add the X-Permitted-Cross-Domain-Policies header, set to none to prevent abuse

Cookies should have a SameSite value, preferably flagged/ set to strict.

Maybe the robots.txt file shouldn't include everything, as you wouldn't want a users file to be indexed by mistake.

There doesn't seem to be a security.txt file, so it's not clear how one would report a security vulnerability securely.

Anyway, I used up my 3 free transfers so gave up after this, but I think if you look at the server endpoints there'll be more to find. Hope this info is somewhat helpful :)
There's also some really useful guides on owasp.org which you might find useful :)

@christianwengert
Copy link
Author

I guess if you've got a published security audit, then an exception to the open source thing can be made.

Thanks fro your feedback!
We did perform an audit with cure53 (also audited protonmail and telegram) which is available on request. But I think we could also publish it if required.

@christianwengert
Copy link
Author

Thanks for trying out! This is really helpful

Keep your dependencies up-to-date, looks like you've got some vulnerabilities in there. Maybe Synk-bot / Dependabot might help. https://snyk.io/test/website-scanner/?test=220411_BiDcSV_FB

We do rely on the github dependabot for our dependencies and usually fix any issues as quick as possible. In the report you send me there seem to be a few false positives (we have no angular whatsoever?!)

According to the cookie popup, you've got Google Analytics (which isn't really private at all). But this isn't mentioned in the privacy policy. I also noticed Plausible and GTM being loaded into certain pages. The app doesn't seem to respect DNT either.

Plausible is fully self-hosted due to privacy reasons. Indeed the google tracking only applies to the landing page in order to measure where people are coming from. Once logged in there is no inclusion at all of google. But you are right we should add this to our policy.

The "I read and accept the Terms and Privacy Policy" in the sign up form doesn't actually link to the privacy policy, and when I found it didn't seem very complete. There's also things like "Then we take the liberty to inform you about new offers from us via the given e-mail address." make it sound like they might spam you.

This is the kind of policies you get when there are lawyers on the team :))
So far we have never ever sent any emails (not even a newsletter) to our customers. I will check this with my partners.

With the 2FA, there's no way to refresh the token if it ever get compromised. The token's QR code is always available for logged in users at: https://arcano.app/qrcode_2fa It would also be nice to view the plaintext token, instead of just a QR (otherwise users may turn to a free QR to text converter, and have their token compromised).

Good point!

There don't seem to be any limits to incorrect pin/ password attempts, and without any password strength indicators there could be some easy to crack passwords.

On signup we do enforce some minimal password strength.
Concerning the brute force attack:

  • A rate limiter is on our todo list already

It's also possible to hit the endpoints from outside of your domain, I can get valid response using a web server on localhost:8008. Maybe in the production environment you should set a CSP header on the backend to only accept requests from arcano.app domains.

Oh this is a great find. Thanks. Clearly a misconfiguration on our side.

There's a couple other headers you should check too. Are you loading mixed content anywhere? If not, could set the Strict-Transport-Security header to force HTTPS. And since the app allows users to upload + share PDFs, maybe you should also add the X-Permitted-Cross-Domain-Policies header, set to none to prevent abuse

Ok, thanks for this input

Cookies should have a SameSite value, preferably flagged/ set to strict.

+1

Maybe the robots.txt file shouldn't include everything, as you wouldn't want a users file to be indexed by mistake.

True, but I am less concerned about this because user files are only 256 bit encrypted on our side (including metadata) and we do not have the keys

There doesn't seem to be a security.txt file, so it's not clear how one would report a security vulnerability securely.

Our FAQ states how we handle vulns

Anyway, I used up my 3 free transfers so gave up after this, but I think if you look at the server endpoints there'll be more to find. Hope this info is somewhat helpful :) There's also some really useful guides on owasp.org which you might find useful :)

Again thanks a lot (btw: once your three transfers are through you should get an automatic offer to get another 5 for free (once)).

Thanks for referencing OWASP, I had OWASP in mind when building Arcano. Also I am currently very active on different ethical hacking certifications and regularly attack Arcano myself :)
Several bugs have been found and removed during this process

@Lissy93
Copy link
Owner

Lissy93 commented Apr 12, 2022

No problem, just a fresh set of eyes :)

Cure53 is awesome. When you're ready, if you choose to publish the full audit, I will add Arcano to the list. It's a bit of an edge case, as although it's not really free or open source, I can see that it could be very useful in the enterprise setting.

I'd not found the FAQ, some useful stuff there. Under the "Do you have a bug bounty program?" section, could I suggest here that you include a bit more info. Specifically:
1- A method of contacting you. Preferably to a dedicated inbox (maybe like security@arcano.app)
2- A PGP key for encrypting messages (so if something critical is found, the message can't be intercepted)
It's worth making the disclosure process as easy and appealing as possible, to (hopefully) reduce temptation for a hacker to sell a vulnerability.

@Lissy93 Lissy93 transferred this issue from Lissy93/personal-security-checklist Jul 10, 2022
@Lissy93 Lissy93 changed the title [CONTENT-CHANGE] Add Arcano (https://arcano.app) [ADDITION] Add Arcano (https://arcano.app) Jul 13, 2022
BrunoBernardino added a commit to BrunoBernardino/awesome-privacy-1 that referenced this issue Jul 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants