2020-03-08 website test - mailbox.org
Summary
- weak TLS settings, no TLS 1.3
- only half year for HSTS preload
- CSP with weak settings
- weak cookie setting
ssllabs.com
https://www.ssllabs.com/ssltest/analyze.html?d=mailbox.org&s=80.241.60.194&latest
- Key Exchange 90/100
- Cipher Strength 90/100
ssllabs.com - Protocols
- TLS 1.3 - no
ssllabs.com - Cipher Suites - Handshake Simulation
4x WEAK
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits FS WEAK 256
- Safari 6 / iOS 6.0.1 RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 7 / iOS 7.1 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 7 / OS X 10.9 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 8 / iOS 8.4 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 8 / OS X 10.10 RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
- IE 11 / Win Phone 8.1 R RSA 4096 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 4096 bits FS WEAK 128
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
The last two do not appear in the handshake simulation.
tls.imirhil.fr
https://tls.imirhil.fr/https/mailbox.org
- Cipher 90/100
- Keys : Diffie Hellman : ECC 256 bits
TLSv1_2:
DHE-RSA-AES128-GCM-SHA256 | DH | 4096 | RSA 4096 AES 128 128 GCM SHA256 | 256 PFS |
DHE-RSA-AES128-SHA | DH | 4096 | RSA 4096 AES 128 128 CBC SHA1 | 160 PFS |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH | 256 | RSA 4096 AES 128 128 GCM SHA256 | 256 PFS |
ECDHE-RSA-AES128-SHA | ECDH | 256 | RSA 4096 AES 128 128 CBC SHA1 | 160 PFS |
hstspreload.org
https://hstspreload.org/?domain=mailbox.org
Serve an HSTS header on the base domain for HTTPS requests: The max-age must be at least 31536000 seconds (1 year).
https://observatory.mozilla.org/analyze/mailbox.org#third-party:
- "The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000."
observatory.mozilla.org
https://observatory.mozilla.org/analyze/mailbox.org
- Content Security Policy (CSP) implemented with unsafe sources inside style-src.
Content Security Policy Analysis:
- Blocks inline styles by not allowing 'unsafe-inline' inside style-src - NO
- Deny by default, using default-src 'none' - NO
- Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins - NO
- Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs - NO
https://observatory.mozilla.org/analyze/mailbox.org#tls Cipher Suites : 4x no AEAD
securityheaders.com
https://securityheaders.com/?followRedirects=on&hide=on&q=mailbox.org
- Grade capped at A, please see warnings below.
- Set-Cookie csrf_https-contao_csrf_token=...; path=/; secure; httponly; samesite=lax; httpOnly; secure
- Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the style-src directive.
- Set-Cookie There is no Cookie Prefix on this cookie.