2020-03-08 website test - mailbox.org: Difference between revisions
No edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 5: | Line 5: | ||
* weak cookie setting | * weak cookie setting | ||
==ssllabs.com== | ==TLS== | ||
===ssllabs.com=== | |||
https://www.ssllabs.com/ssltest/analyze.html?d=mailbox.org&s=80.241.60.194&latest | https://www.ssllabs.com/ssltest/analyze.html?d=mailbox.org&s=80.241.60.194&latest | ||
Line 11: | Line 12: | ||
* Cipher Strength 90/100 | * Cipher Strength 90/100 | ||
===ssllabs.com - Protocols=== | ====ssllabs.com - Protocols==== | ||
* TLS 1.3 - no | * TLS 1.3 - no | ||
===ssllabs.com - Cipher Suites - Handshake Simulation=== | ====ssllabs.com - Cipher Suites - Handshake Simulation==== | ||
4x WEAK | 4x WEAK | ||
#TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits FS WEAK 256 | #TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits FS WEAK 256 | ||
Line 29: | Line 30: | ||
The last two do not appear in the handshake simulation. | The last two do not appear in the handshake simulation. | ||
==tls.imirhil.fr== | ===tls.imirhil.fr=== | ||
https://tls.imirhil.fr/https/mailbox.org | https://tls.imirhil.fr/https/mailbox.org | ||
Line 37: | Line 38: | ||
TLSv1_2: | TLSv1_2: | ||
{| | {| class="wikitable" | ||
|- | |- | ||
|DHE-RSA-AES128-GCM-SHA256||DH||4096||RSA 4096 AES 128 128 GCM SHA256||256 PFS | |DHE-RSA-AES128-GCM-SHA256||DH||4096||RSA 4096 AES 128 128 GCM SHA256||256 PFS | ||
Line 48: | Line 49: | ||
|} | |} | ||
===hstspreload.org=== | |||
==hstspreload.org== | |||
https://hstspreload.org/?domain=mailbox.org | https://hstspreload.org/?domain=mailbox.org | ||
Serve an HSTS header on the base domain for HTTPS requests: | Serve an HSTS header on the base domain for HTTPS requests: |
Latest revision as of 2020-04-07T16:56:49
Summary
- weak TLS settings, no TLS 1.3
- only half year for HSTS preload
- CSP with weak settings
- weak cookie setting
TLS
ssllabs.com
https://www.ssllabs.com/ssltest/analyze.html?d=mailbox.org&s=80.241.60.194&latest
- Key Exchange 90/100
- Cipher Strength 90/100
ssllabs.com - Protocols
- TLS 1.3 - no
ssllabs.com - Cipher Suites - Handshake Simulation
4x WEAK
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 4096 bits FS WEAK 256
- Safari 6 / iOS 6.0.1 RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 7 / iOS 7.1 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 7 / OS X 10.9 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 8 / iOS 8.4 R RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- Safari 8 / OS X 10.10 RSA 4096 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH 4096 FS
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
- IE 11 / Win Phone 8.1 R RSA 4096 (SHA256) TLS 1.2 > http/1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH secp256r1
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 4096 bits FS WEAK 128
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
The last two do not appear in the handshake simulation.
tls.imirhil.fr
https://tls.imirhil.fr/https/mailbox.org
- Cipher 90/100
- Keys : Diffie Hellman : ECC 256 bits
TLSv1_2:
DHE-RSA-AES128-GCM-SHA256 | DH | 4096 | RSA 4096 AES 128 128 GCM SHA256 | 256 PFS |
DHE-RSA-AES128-SHA | DH | 4096 | RSA 4096 AES 128 128 CBC SHA1 | 160 PFS |
ECDHE-RSA-AES128-GCM-SHA256 | ECDH | 256 | RSA 4096 AES 128 128 GCM SHA256 | 256 PFS |
ECDHE-RSA-AES128-SHA | ECDH | 256 | RSA 4096 AES 128 128 CBC SHA1 | 160 PFS |
hstspreload.org
https://hstspreload.org/?domain=mailbox.org
Serve an HSTS header on the base domain for HTTPS requests: The max-age must be at least 31536000 seconds (1 year).
https://observatory.mozilla.org/analyze/mailbox.org#third-party:
- "The max-age must be at least 31536000 seconds (≈ 1 year), but the header currently only has max-age=15768000."
observatory.mozilla.org
https://observatory.mozilla.org/analyze/mailbox.org
- Content Security Policy (CSP) implemented with unsafe sources inside style-src.
Content Security Policy Analysis:
- Blocks inline styles by not allowing 'unsafe-inline' inside style-src - NO
- Deny by default, using default-src 'none' - NO
- Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins - NO
- Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs - NO
https://observatory.mozilla.org/analyze/mailbox.org#tls Cipher Suites : 4x no AEAD
securityheaders.com
https://securityheaders.com/?followRedirects=on&hide=on&q=mailbox.org
- Grade capped at A, please see warnings below.
- Set-Cookie csrf_https-contao_csrf_token=...; path=/; secure; httponly; samesite=lax; httpOnly; secure
- Content-Security-Policy This policy contains 'unsafe-inline' which is dangerous in the style-src directive.
- Set-Cookie There is no Cookie Prefix on this cookie.