SSL server configuration : you call that "secure" ?

Status
Not open for further replies.

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#2
You call that insecure? :D It's important to note this is a small game community website not government institution, banking institution or corporation with juicy secrets. Cypher is deemed insecure when there's "someone" capable of cracking it. Even DES3 however old it is, to my knowledge (correct me if I'm wrong) can't be cracked without very expensive equipment and even then it takes days. Why would anyone with such resources waste it on cracking forums such as these?

Of course that also needs client to actually use that cypher, it's there only for backwards compatibility and is only used by browsers that don't support anything better, which should be totally rare these days, but it's still better to give them somewhat secure connection than nothing at all. My point is, you have to consider not just strength but also compatibility and how valuable target you are securing.

As for the scoring, frankly I don't find any of their suggestions security important. Enhancements definitely, but far from being necessities and hardly worth pursuing for this project. If you scan around for some much more exposed targets you'll find even worse scoring.

bankofamerica.com = 0/100
xenforo.com = 0/100

Shared SSL certificate is installed on Cloudflare servers and none have access to private keys, so from security standpoint it doesn't matter how many or what hostnames share in it.
 
#3
Like Xeevis said... Why would you attack a forum for a game that doesn't exist?

And if you use things for security, that aren't even compatible anymore, it can be far more secure than the new bullshit that is compatible with everything. Try to find something that is compatible with far more ancient cyphers, you probably got to write something completely new to crack it...
 

Dremor

New Member
Jul 27, 2016
13
4
3
#4
You call that insecure? :D It's important to note this is a small game community website not government institution, banking institution or corporation with juicy secrets. Cypher is deemed insecure when there's "someone" capable of cracking it. Even DES3 however old it is, to my knowledge (correct me if I'm wrong) can't be cracked without very expensive equipment and even then it takes days.
3DES is a reuse of the very old DES, by chaining it multiple times. But the algorithm itself is vulnerable to multiple attacks vector, especially a possible "known-plaintext" attack, with is a big problem for ssl, as there is a lot of known plaintext (http verbs, html tags, etc...), thus making it rather easy to decipher. It is still a good way to cypher passwords on a database, but not for a ssl connection.

Why would anyone with such resources waste it on cracking forums such as these?
Because unfortunately, there is still a lot of people who uses the same username/password of multiple website. By attacking a less secured server, you can get access to some other account, on other services, far more interesting.
Of course that also needs client to actually use that cypher, it's there only for backwards compatibility and is only used by browsers that don't support anything better, which should be totally rare these days, but it's still better to give them somewhat secure connection than nothing at all. My point is, you have to consider not just strength but also compatibility and how valuable target you are securing.
You can use secure cypher, and support very old client. Here is an example website. Got a B, but it still can serve to someone who uses Firefox 1.0, Chrome 1.0, or IE 7.

As for the scoring, frankly I don't find any of their suggestions security important. Enhancements definitely, but far from being necessities and hardly worth pursuing for this project. If you scan around for some much more exposed targets you'll find even worse scoring.

bankofamerica.com = 0/100
xenforo.com = 0/100
Well... if you use BoA services, I have only one thing to say :



Shared SSL certificate is installed on Cloudflare servers and none have access to private keys, so from security standpoint it doesn't matter how many or what hostnames share in it.
If it is the case, then it is a bit better. Still, it's far from secure. You can easily get a real certificate, for free, with Letsencrypt, and get a far better security.
 

Xeevis

Max Kahuna
Max Kahuna
Forum Tech
Jul 26, 2016
105
541
93
www.emberbot.com
#6
I won't argue with you, this isn't shining example of internet fort knox. But it's sufficient, script-kiddies stand no chance. If you indeed are running outdated browser full of security holes and poor encryption capabilities one less DES3-capable domain won't make things any safer, these people care little for security (obviously) and if someone is sniffing their traffic, those master credentials are bound to leak in plain-text. And with such profile they are probably part of botnet already anyway :D. Nothing we can do about it.

Letsencrypt is a cool project, but those certificates are valid only for 90 days and their generation and deployment is not 1-click kind of deal. It's a maintenance hurdle and handling private keys is not something you should do on volunteer basis and everything else costs a lot of money. Current implementation costs nothing, has zero maintenance and will function and upgrade automatically and indefinitely.
 

Mahdi

Firstclaimer
Jul 26, 2016
1,079
2,330
113
44
South Carolina, US
#8
I won't argue with you, this isn't shining example of internet fort knox. But it's sufficient, script-kiddies stand no chance. If you indeed are running outdated browser full of security holes and poor encryption capabilities one less DES3-capable domain won't make things any safer, these people care little for security (obviously) and if someone is sniffing their traffic, those master credentials are bound to leak in plain-text. And with such profile they are probably part of botnet already anyway :D. Nothing we can do about it.

Letsencrypt is a cool project, but those certificates are valid only for 90 days and their generation and deployment is not 1-click kind of deal. It's a maintenance hurdle and handling private keys is not something you should do on volunteer basis and everything else costs a lot of money. Current implementation costs nothing, has zero maintenance and will function and upgrade automatically and indefinitely.

Yo Joey! Is this enough PLOSION!!!! for you? My desk shook a little reading this.
 
Status
Not open for further replies.