On Mon, Aug 17, 2015 at 7:12 AM, Royce Williams <royce@tycho.org> wrote:
> It's not done, but it's Done Enough to publish a bad first draft.
>
> http://www.techsolvency.com/tls/
>
> Goal: show Alaskan geeks their HTTPS posture, and hopefully to improve
> overall Alaskan TLS health.
>
> Methodology: I'm using my Alaskan domain list and scans.io's public
> DNS dumps to track down Alaskan HTTPS hosts and use the API for the
> Qualys SSL Labs Server Test.
>
> Usability: Wide monitor recommended; I'm working on a way to customize
> which columns are shown, but it's a ways off yet. I'll move this to
> back-end searching when I can, but I didn't want to wait on getting
> the info out there. Also, the search box is waaay too slow - anyone
> want to contribute a JavaScript fix to add some delay between start of
> typing and the filter? Workaround: paste in the entire search string
> from your paste buffer instead.
>
> Access: The scan results are currently only accessible from what I
> know to be Alaskan IP space. If you can't get there, there's a custom
> 404 that will tell you how to let me know so that I can fix it.
>
> *Please* help by forwarding this to the Alaskan geeks that you know
> who need this info to secure their systems!
[sound of crickets] ... ? :)
I expected this to stir up more interest -- and even controversy,
since it includes specific SSL/TLS vulnerabilities for just about
every company of any size in the entire State of Alaska.
Among the notable bad things that I've uncovered:
- Large organizations with stuff exposed to the public Internet that
shouldn't be -- printers, DRAC/ILOs, HVAC, firewall configuration UIs
- Systems vulnerable to Logjam, FREAK, PODDLE (both SSL and TLS
variants), CRIME, and CCS
- Systems with Heartbleed on them - yeah, even 16 months later
- Systems that still support extremely outdated and/or exploitable
configurations, including SSLv2, weak ciphers, insecure renegotiation,
weak DH parameters, RC4, and SHA-1 certs
- Extremely outdated and exploitable versions of Apache, IIS, and OpenSSL
- Sloppy and broken forward/reverse DNS
- Clear evidence of reliance on DNS obscurity by using hard-to-guess
hostnames (this was never very effective, but with the availability of
tools like DNS Dumpster, it's almost entirely useless)
I tried to strike a responsible-disclosure balance by limiting it to
Alaskan IP ranges. If you're in Alaska but get the 403, let me know
what space you're coming from (see the note in the 403 for what will
help me best identify your IP range).
Note that I've included all hostnames that appear in Alaskan IP space.
This includes sites that use vanity/personal domains and are hanging
off of someone's cable modem or DSL.
At a minimum, I recommend searching for domains that you either own,
manage, work for, or regularly do business with. If you're an Alaskan
outsourced IT or web-hosting provider, you should look for your client
domains as well. Since the searching is client-side with JavaScript,
I have no logs or any other way to tell what you're searching for.
The page has background info that will help you to remediate or
mitigate any issues noted with systems that you administer.
And even if you don't use my cache index, if you use HTTPS, *please*
run the Qualys SSL Labs Server Test against your HTTPS systems, fix
anything that gives you an F, and replace any SHA-1 certs.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Aug 20 09:52:25 2015
This archive was generated by hypermail 2.1.8 : Thu Aug 20 2015 - 09:52:25 AKDT