-
-
Notifications
You must be signed in to change notification settings - Fork 310
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ADDITION] Add Arcano (https://arcano.app) #3
Comments
Heya @christianwengert - Thanks for the suggestion, it looks cool! |
Also, in the interest of transparency, are you associated with this project in any way (past or present, paid or unpaid)? Although I do appreciate all the detailed info provided, it does read a bit like an advert! ;) |
Dear @Lissy93 As the code as such is JS anyway, sources can be checked by everyone, we do not have any obfuscation in place to hinder users looking at it. Releasing this in a GH Repo is on our todo list, but we did not yet have the time to properly package it. Sorry for writing the description like an advert :) . Nevertheless I think Arcano would fit here quite well, because privacy is certainly the most important feature of this tool |
Hiya @christianwengert Unlike the other file share apps on the list, the security cannot be verified, and this app cannot be self-hosted. And with it being a for-profit company, with only 3 free transfers, I'm not sure if it's a good fit for a list of free and open projects. |
When trying it out, couple of things jumped out at me. Some small areas for improvement: Keep your dependencies up-to-date, looks like you've got some vulnerabilities in there. Maybe Synk-bot / Dependabot might help. https://snyk.io/test/website-scanner/?test=220411_BiDcSV_FB According to the cookie popup, you've got Google Analytics (which isn't really private at all). But this isn't mentioned in the privacy policy. I also noticed Plausible and GTM being loaded into certain pages. The app doesn't seem to respect DNT either. The "I read and accept the Terms and Privacy Policy" in the sign up form doesn't actually link to the privacy policy, and when I found it didn't seem very complete. There's also things like "Then we take the liberty to inform you about new offers from us via the given e-mail address." make it sound like they might spam you. With the 2FA, there's no way to refresh the token if it ever get compromised. The token's QR code is always available for logged in users at: https://arcano.app/qrcode_2fa It would also be nice to view the plaintext token, instead of just a QR (otherwise users may turn to a free QR to text converter, and have their token compromised). There don't seem to be any limits to incorrect pin/ password attempts, and without any password strength indicators there could be some easy to crack passwords. It's also possible to hit the endpoints from outside of your domain, I can get valid response using a web server on localhost:8008. Maybe in the production environment you should set a CSP header on the backend to only accept requests from arcano.app domains. There's a couple other headers you should check too. Are you loading mixed content anywhere? If not, could set the Cookies should have a SameSite value, preferably flagged/ set to strict. Maybe the robots.txt file shouldn't include everything, as you wouldn't want a users file to be indexed by mistake. There doesn't seem to be a Anyway, I used up my 3 free transfers so gave up after this, but I think if you look at the server endpoints there'll be more to find. Hope this info is somewhat helpful :) |
Thanks fro your feedback! |
Thanks for trying out! This is really helpful
We do rely on the github dependabot for our dependencies and usually fix any issues as quick as possible. In the report you send me there seem to be a few false positives (we have no angular whatsoever?!)
Plausible is fully self-hosted due to privacy reasons. Indeed the google tracking only applies to the landing page in order to measure where people are coming from. Once logged in there is no inclusion at all of google. But you are right we should add this to our policy.
This is the kind of policies you get when there are lawyers on the team :))
Good point!
On signup we do enforce some minimal password strength.
Oh this is a great find. Thanks. Clearly a misconfiguration on our side.
Ok, thanks for this input
+1
True, but I am less concerned about this because user files are only 256 bit encrypted on our side (including metadata) and we do not have the keys
Our FAQ states how we handle vulns
Again thanks a lot (btw: once your three transfers are through you should get an automatic offer to get another 5 for free (once)). Thanks for referencing OWASP, I had OWASP in mind when building Arcano. Also I am currently very active on different ethical hacking certifications and regularly attack Arcano myself :) |
No problem, just a fresh set of eyes :) Cure53 is awesome. When you're ready, if you choose to publish the full audit, I will add Arcano to the list. It's a bit of an edge case, as although it's not really free or open source, I can see that it could be very useful in the enterprise setting. I'd not found the FAQ, some useful stuff there. Under the "Do you have a bug bounty program?" section, could I suggest here that you include a bit more info. Specifically: |
Explain why it should be added
Arcano is an end-to-end encrypted file transfer service. All data is encrypted in the browser of the sender and only decrypted in the browser of the receiver. Arcano never has access to the keys of the users and can thus not access any of the files. Metadata such as filename are also encrypted.
Furthermore, we offer a free tier, where one can register to Arcano using only an email address. No credit card or other personal data is stored.
Additional Context
Arcano should go into the "File Drop" category.
Content (optional)
Arcano has been developed for lawyers and other professional secret carriers but can be used by anybody who cares about his privacy. This is why we made it our highest priority to have as little knowledge as possible about the lawyers and their clients. Arcano can never access the files that are being transferred or the metadata about this file (e.g. filename).
The files are encrypted using 256 bit AES with GCM.
NOTES:
The text was updated successfully, but these errors were encountered: