Re: [ANN] Whirlwind.money | Bitcoin Mixer | Lowest Fees 0.25%-4% | Ultimate Privacy
A new update just went live. Most if not all issues raised in the review campaign until now should be fixed.
HSTS was fixed too. Even though I believe the other implementation was good enough (a user would have to take extra steps in order to use HTTP so it couldn't happen by accident), I agree your suggestion this is the right way to do it.
They are just one of many providers that we use, but for Clearnet at least it does the trick
Changelog
04.04.2023 06:00:00 AM UTC
-Fees were reduced from 0.00015BTC/address to 0.0001BTC/address
-Website is now fully responsive
-All "unclickable" buttons fixed
-Note can now be downloaded in the same way as the Letter of Guarantee
-Tor header added
-HTTP Strict-Transport-Security added
-Captcha can be refreshed
-Clearnet link added to footer
-Added warning on the Withdraw Note/Combine Note pages (Your note will only work after the deposit is fully confirmed.)
-If user doesen't have JS enabled an error will be displayed
-Sliders fixed
-Network fees now adjust automatically based on market conditions so transactions shouldn't get stuck anymore
04.04.2023 06:00:00 AM UTC
-Fees were reduced from 0.00015BTC/address to 0.0001BTC/address
-Website is now fully responsive
-All "unclickable" buttons fixed
-Note can now be downloaded in the same way as the Letter of Guarantee
-Tor header added
-HTTP Strict-Transport-Security added
-Captcha can be refreshed
-Clearnet link added to footer
-Added warning on the Withdraw Note/Combine Note pages (Your note will only work after the deposit is fully confirmed.)
-If user doesen't have JS enabled an error will be displayed
-Sliders fixed
-Network fees now adjust automatically based on market conditions so transactions shouldn't get stuck anymore
I saw a review campaign and was ready to participate in, but I see the same thing will be repeated over and over. Even if I could add an adress analysis from a tool used by CEXs to make it a bit different and a website security check.
However, I have a question
The website is missing the HTTP <Strict-Transport-Security> security header
You know what I mean? The point saying to browsers that Whirlwind should only be accessed with HTTPS, and any connection using HTTP should automatically be converted to HTTPS
However, I believe you configured a 301 redirect on your server (HTTP to HTTPS) , it does almost the same thing but the HTTP connection is still vulnerable to a man-in-the-middle attack
Just for my information, TYVM
By the way: Pretty smart to use Njalla
If you have the time I'd appreciate your reviewHowever, I have a question
The website is missing the HTTP <Strict-Transport-Security> security header
You know what I mean? The point saying to browsers that Whirlwind should only be accessed with HTTPS, and any connection using HTTP should automatically be converted to HTTPS
However, I believe you configured a 301 redirect on your server (HTTP to HTTPS) , it does almost the same thing but the HTTP connection is still vulnerable to a man-in-the-middle attack
Just for my information, TYVM
By the way: Pretty smart to use Njalla
HSTS was fixed too. Even though I believe the other implementation was good enough (a user would have to take extra steps in order to use HTTP so it couldn't happen by accident), I agree your suggestion this is the right way to do it.
They are just one of many providers that we use, but for Clearnet at least it does the trick