SSL server configuration : you call that "secure" ?

Discussion in 'Flamewars, Gripes and Complaints' started by Dremor, Oct 21, 2016.

Tags:
  1. Dremor

    Dremor New Member

    I scanned the forum with Mozilla's SSL Observatory... Got a F, with a 15/100 score.

    https://observatory.mozilla.org/analyze.html?host=forums.emberthegame.com

    Bad security configuration, a shared SSL certificate with some suspicious website (*.nxttgdvgoh.ml, kinkysexyadultshopping.xyz, among other), some very outdated cypher (DES3, WTF?).

    Who the hell configured this shit?
     
    Last edited: Oct 21, 2016
  2. Xeevis

    Xeevis Well-Known Member Max Kahuna Forum Tech

    You call that insecure? :D It's important to note this is a small game community website not government institution, banking institution or corporation with juicy secrets. Cypher is deemed insecure when there's "someone" capable of cracking it. Even DES3 however old it is, to my knowledge (correct me if I'm wrong) can't be cracked without very expensive equipment and even then it takes days. Why would anyone with such resources waste it on cracking forums such as these?

    Of course that also needs client to actually use that cypher, it's there only for backwards compatibility and is only used by browsers that don't support anything better, which should be totally rare these days, but it's still better to give them somewhat secure connection than nothing at all. My point is, you have to consider not just strength but also compatibility and how valuable target you are securing.

    As for the scoring, frankly I don't find any of their suggestions security important. Enhancements definitely, but far from being necessities and hardly worth pursuing for this project. If you scan around for some much more exposed targets you'll find even worse scoring.

    bankofamerica.com = 0/100
    xenforo.com = 0/100

    Shared SSL certificate is installed on Cloudflare servers and none have access to private keys, so from security standpoint it doesn't matter how many or what hostnames share in it.
     
    Fabricio21RJ, Nunaden and engjang like this.
  3. Nunaden

    Nunaden Well-Known Member

    Like Xeevis said... Why would you attack a forum for a game that doesn't exist?

    And if you use things for security, that aren't even compatible anymore, it can be far more secure than the new bullshit that is compatible with everything. Try to find something that is compatible with far more ancient cyphers, you probably got to write something completely new to crack it...
     
    Mahdi, engjang and Fabricio21RJ like this.
  4. Dremor

    Dremor New Member

    3DES is a reuse of the very old DES, by chaining it multiple times. But the algorithm itself is vulnerable to multiple attacks vector, especially a possible "known-plaintext" attack, with is a big problem for ssl, as there is a lot of known plaintext (http verbs, html tags, etc...), thus making it rather easy to decipher. It is still a good way to cypher passwords on a database, but not for a ssl connection.

    Because unfortunately, there is still a lot of people who uses the same username/password of multiple website. By attacking a less secured server, you can get access to some other account, on other services, far more interesting.
    You can use secure cypher, and support very old client. Here is an example website. Got a B, but it still can serve to someone who uses Firefox 1.0, Chrome 1.0, or IE 7.

    Well... if you use BoA services, I have only one thing to say :

    [​IMG]

    If it is the case, then it is a bit better. Still, it's far from secure. You can easily get a real certificate, for free, with Letsencrypt, and get a far better security.
     
  5. MajorChuah

    MajorChuah Member

    Ayy
     
    Dremor likes this.
  6. Xeevis

    Xeevis Well-Known Member Max Kahuna Forum Tech

    I won't argue with you, this isn't shining example of internet fort knox. But it's sufficient, script-kiddies stand no chance. If you indeed are running outdated browser full of security holes and poor encryption capabilities one less DES3-capable domain won't make things any safer, these people care little for security (obviously) and if someone is sniffing their traffic, those master credentials are bound to leak in plain-text. And with such profile they are probably part of botnet already anyway :D. Nothing we can do about it.

    Letsencrypt is a cool project, but those certificates are valid only for 90 days and their generation and deployment is not 1-click kind of deal. It's a maintenance hurdle and handling private keys is not something you should do on volunteer basis and everything else costs a lot of money. Current implementation costs nothing, has zero maintenance and will function and upgrade automatically and indefinitely.
     
  7. Grummz

    Grummz Administrator Ember Dev

    The only attacks we condone are navel attacks.
     
  8. Mahdi

    Mahdi Gatestrider - T.H.M.P.R.


    Yo Joey! Is this enough PLOSION!!!! for you? My desk shook a little reading this.
     
    NitroMidgets and engjang like this.
  9. Torgue_Joey

    Torgue_Joey Emberite -Death Reaper

    GET A F*CKING DOCTOR. IF YOU CAN'T HOLD IN YOUR FART.
     
    NitroMidgets and Mahdi like this.

Share This Page