Improve BleachBit.org Security

Forums: 
Forum tags: 

Hi,

Please upgrade the security a bit more.

Should use Upgrade Insecure Requests @ https://www.w3.org/TR/upgrade-insecure-requests/

Should enable HPKP (HTTP Public Key Pinning) @ https://report-uri.io/home/pkp_hash

Should use CSP (Content Security Policy) @ https://report-uri.io/home/generate

And other security headers @ https://bitcoinsecurityproject.org/WebApplicationSecurityPractices/Secur...

Thanks,

Will

ROCKNROLLKID's picture

+1. Though, I thought Andrew did update the Content Security Policy when he switched to HTTPS, but perhaps I am mistaken. Anyways, it wouldn't hurt to add these as an extra layer for BleachBit website.

____________________
Also known as Alex.

Moderator for BleachBit and a maintainer for Winapp2.

Check out my open-source group on Steam: http://steamcommunity.com/groups/opencommunity

Windows 10 x64 (switching to ReactOS in the future).

Hi!
BleachBit for Windows
Checked for viruses in VirusTotal (https://www.virustotal.com/) crammed troyans!
Eliminate.
The only alternative CCleaner.
I hope to fix it.

Carl: please see the recent discussion trojans about the false positives

Andrew

---
Andrew, lead developer

Checked (virustotal) Ad-Aware - 1 Trojan
Checked Ad-Aware -O Trojan
BleachBit Really safe?
How do you fix a reputation?
Andrew You do not know Russian? (Russian Language)

ROCKNROLLKID's picture

Carl. Anti-virus/anti-malware have false positives all the time. BleachBit is a popular tool that's been around for years. There has never been any malware in BleachBit before and there never will be. Also, BleachBit is open-source, too, so you can always check the source code for malicious code, if you don't feel safe.

____________________
Also known as Alex.

Moderator for BleachBit and a maintainer for Winapp2.

Check out my open-source group on Steam: http://steamcommunity.com/groups/opencommunity

Windows 10 x64 (switching to ReactOS in the future).

Fear of infection is so great! Still not trust.
Do so that there are no false positives.
Good luck

Still some layers that can be added, in the order of importance:

  • Content Security Policy (CSP) header not implemented
  • X-XSS-Protection header not implemented
  • HTTP Strict Transport Security (HSTS) header set to less than six months (15768000)
  • Subresource Integrity (SRI) not implemented

Full report and further details on implementation:
https://observatory.mozilla.org/analyze.html?host=www.bleachbit.org

Hi Forday,

Yes, it would be good to add more web site security.

I am doing it in steps, while still managing the application and other work. A few days ago I added HTTPS to the last subdomain that did not support it, and now *.bleachbit.org forwards to HTTPS. Also, this week I enabled HSTS with a short max-age to check whether anything breaks. If this goes well, I will increase the max-age. I also looked into CSP, but the configuration for maximum security looks non-trivial.

---
Andrew, lead developer