ISSUE SUMMARY |
|||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
| Service | Issues |
|---|---|
| www.gmail.com:443 | Preference Given to RC4 Ciphers Session Resumption NOT Supported Support for MD5 MAC Enabled Incorrect Cache Control Directives HSTS Header NOT Enabled |
| www.yahoo.com:443 | Session Resumption NOT Supported Support for MD5 MAC Enabled Incorrect Cache Control Directives Cookie - Secure Flag Not Set Cookie - HttpOnly Flag Not Set Low HSTS Header Timeout Value |
| www.lastpass.com:443 | Use of Wild Card Certificate Vulnerable to BEAST Attack Incorrect Cache Control Directives Cookie - Secure Flag Not Set Cookie - HttpOnly Flag Not Set HSTS Header NOT Enabled |
| Service (host:port) | www.gmail.com:443 | Risk Level |
|---|
| Cipher Related Information | |
| SSL 2.0 Ciphers Supported | None |
| SSL 3.0 Ciphers Supported | AES256-SHA with a key length of 256 bits AES128-SHA with a key length of 128 bits DES-CBC3-SHA with a key length of 168 bits RC4-SHA with a key length of 128 bits RC4-MD5 with a key length of 128 bits |
| TLS 1.0 Ciphers Supported | AES256-SHA with a key length of 256 bits AES128-SHA with a key length of 128 bits DES-CBC3-SHA with a key length of 168 bits RC4-SHA with a key length of 128 bits RC4-MD5 with a key length of 128 bits |
| Preferred Ciphers | SSL 3.0: RC4-SHA (128 bits) TLS 1.0: RC4-SHA (128 bits) |
| Certificate Details | |
| Host IP Address | 173.194.41.118 |
| Host Name on the Certificate | www.gmail.com |
| Certificate ID | X.509 Hex: 1dd3912e6037cf32 SHA-1 fingerprint: 58bcbdfb36ead7791aebda5e457553464d75a761 Public Key Id: 395fd6e66e4bb7bcfcfa2bb88a8448e5c96198e2 |
| Issued To | Country: US, State: California, Location: Mountain View, Organisation: Google Inc, Common Name: www.gmail.com |
| Issued By | Country: US, Organisation: Google Inc, Common Name: Google Internet Authority G2 |
| Alias Information | DNSname: www.gmail.com |
| Validity Information | Not Before: Wed Apr 09 11:58:09 UTC 2014 Not After: Tue Jul 08 00:00:00 UTC 2014 Valid. Expiring in 72 days. |
| Key Information | RSA with a key size of 2048 bits. |
| Key Purpose | TLS WWW Server. TLS WWW Client. |
| Signature Algorithm | RSA-SHA1 |
| Revocation Information | CRL Distribution Points: http://pki.google.com/GIAG2.crl |
| Self-signed Certificate | No |
| Wild Card Certificate | No |
| Trusted Certificate | Yes |
| Certificate Chain | 2 certificates in the chain. Next certificate in the chain: Serial Number (hex): 023a69 Validity: Fri Apr 05 15:15:55 UTC 2013 to Sat Apr 04 15:15:55 UTC 2015 Key details: RSA - Legacy (2048 bits) Signature Algorithm: RSA-SHA1 Certificate Authority (CA): TRUE Issuer: Country:US, Organisation:GeoTrust Inc., Common Name:GeoTrust Global CA Next certificate in the chain: Serial Number (hex): 12bbe6 Validity: Tue May 21 04:00:00 UTC 2002 to Tue Aug 21 04:00:00 UTC 2018 Key details: RSA - Legacy (2048 bits) Signature Algorithm: RSA-SHA1 Certificate Authority (CA): TRUE Issuer: Country:US, Organisation:Equifax, Organisation Unit:Equifax Secure Certificate Authority |
| Protocols Supported | SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 |
| Protocol Fallback | N/A |
| Session Resumption | No |
| Secure Renegotiation | Yes |
| MAC Support | MD5 SHA1 SHA256 |
| Vulnerable to BEAST Attack | No |
| Vulnerable to CRIME Attack | No |
| Certificate | -----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIIHdORLmA3zzIwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwNDA5MTE1ODA5WhcNMTQwNzA4MDAwMDAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNd3d3
LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVdvv3J
vbLkVvUBwdoLeQYkuDR/oX0U6m8+LNff+9xmGYPh8a2gi0tk6K4j6CBkhgU3pZYy
n2BjxXZWHOp7m+HY3mKr8PlMIotIluOIJk2R3IHpISt58BGk3DUdSV4L429c4a0h
YeuzqvPWBgq5WMS1lBBw473Dmu0vARUSpL1xTZ2u9tSJC/44wNjsKJFktsYEzV8x
i/SKOMmP30dvJZ5OoeoKbIzV/v6sdqfvvG9HfSLXrC8FS07/WzNaXbfHDzjF1nxl
20kB2x1WCRoPWetKz8V/Bq6JZA47O31iBDGuDhH4WmaE9mNToIsTu0aJ2vAIP6Nb
vq6O7BZQnrhKQkUCAwEAAaOCAUAwggE8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg13d3cuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUGYZERazrNQORxltAuShRxhyD5mAwDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAIv/BT3yd7BIMObF8tq+KexGWerrPgWai
G++VxU3I9bL9UfnFRkavqoBMjjpRlYcc9gNKIsp/j6zGDsOniIcUjwo3NOz6bmem
rWjkM5uTghRSnOiOHYiq8rnY5GBkKcex0na96ufAXFOn9otrNpDfPrz/sc0kZRsO
7YnYCKoRpiVtRKBPapSix4BCuZn3wVK11SdHXyTbr3gzH8kP6m1j6ymdusORmXcP
/xvs6w5SKGp8U16jb7NTgHs8C4E4EgfqLt5MnK+BRierPkpsSEqcbm2ZcqG0PQgp
Nw46JabXVImVJhaPWMtrngrWFtONAoYz7vr0RXlO+kMeT89b/eO/NQ==
-----END CERTIFICATE----- |
| Web Server Checks | |
| Banner | sffe |
| Cookies with Issues | No issues identified with flags. |
| Cache Settings | public, max-age=2592000 Content caching allowed. |
| HSTS Header Setting | Not Enabled |
| Other Security Related Headers | X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block |
| Service (host:port) | www.yahoo.com:443 | Risk Level |
|---|
| Certificate Details | |
| Host IP Address | 46.228.47.114 |
| Host Name on the Certificate | www.yahoo.com |
| Certificate ID | X.509 Hex: 1dc0124a024a2cd6ce88c94c0f24f1cf SHA-1 fingerprint: 6b52651caf7b1f306050179d27570d4d5c5bfd24 Public Key Id: b3bf9e8a6e92bc64e9e9b0f62a4f0a8f8c3e0c90 |
| Issued To | Country: US, State: California, Location: Sunnyvale, Organisation: Yahoo Inc., Organisation Unit: Information Technology, Common Name: www.yahoo.com |
| Issued By | Country: US, Organisation: VeriSign\, Inc., Organisation Unit: VeriSign Trust Network, Organisation Unit: Terms of use at https://www.verisign.com/rpa (c)10, Common Name: VeriSign Class 3 Secure Server CA - G3 |
| Alias Information | DNSname: www.yahoo.com DNSname: yahoo.com DNSname: hsrd.yahoo.com DNSname: us.yahoo.com DNSname: fr.yahoo.com DNSname: uk.yahoo.com DNSname: za.yahoo.com DNSname: ie.yahoo.com DNSname: it.yahoo.com DNSname: es.yahoo.com DNSname: de.yahoo.com DNSname: ca.yahoo.com DNSname: qc.yahoo.com DNSname: br.yahoo.com DNSname: ro.yahoo.com DNSname: se.yahoo.com DNSname: be.yahoo.com DNSname: fr-be.yahoo.com DNSname: ar.yahoo.com DNSname: mx.yahoo.com DNSname: cl.yahoo.com DNSname: co.yahoo.com DNSname: ve.yahoo.com DNSname: espanol.yahoo.com DNSname: pe.yahoo.com DNSname: in.yahoo.com DNSname: sg.yahoo.com DNSname: id.yahoo.com DNSname: malaysia.yahoo.com DNSname: ph.yahoo.com DNSname: vn.yahoo.com DNSname: maktoob.yahoo.com DNSname: en-maktoob.yahoo.com DNSname: ca.my.yahoo.com DNSname: gr.yahoo.com DNSname: att.yahoo.com DNSname: au.yahoo.com DNSname: nz.yahoo.com DNSname: tw.yahoo.com DNSname: hk.yahoo.com DNSname: brb.yahoo.com DNSname: my.yahoo.com DNSname: add.my.yahoo.com |
| Validity Information | Not Before: Wed Apr 09 00:00:00 UTC 2014 Not After: Thu Apr 09 23:59:59 UTC 2015 Valid. Expiring in 347 days. |
| Key Information | RSA with a key size of 2048 bits. |
| Key Purpose | TLS WWW Server. TLS WWW Client. |
| Signature Algorithm | RSA-SHA1 |
| Revocation Information | CRL Distribution Points: http://SVRSecure-G3-crl.verisign.com/SVRSecureG3.crl |
| Self-signed Certificate | No |
| Wild Card Certificate | No |
| Trusted Certificate | Yes |
| Certificate Chain | 2 certificates in the chain. Next certificate in the chain: Serial Number (hex): 6ecc7aa5a7032009b8cebcf4e952d491 Validity: Mon Feb 08 00:00:00 UTC 2010 to Fri Feb 07 23:59:59 UTC 2020 Key details: RSA - Legacy (2048 bits) Certificate Authority (CA): TRUE Issuer: Country:US, Organisation:VeriSign\, Inc., Organisation Unit:VeriSign Trust Network, Organisation Unit:(c) 2006 VeriSign\, Inc. - For authorized use only, Common Name:VeriSign Class 3 Public Primary Certification Authority - G5 Next certificate in the chain: Serial Number (hex): 250ce8e030612e9f2b89f7054d7cf8fd Validity: Wed Nov 08 00:00:00 UTC 2006 to Sun Nov 07 23:59:59 UTC 2021 Key details: RSA - Legacy (2048 bits) Certificate Authority (CA): TRUE Issuer: Country:US, Organisation:VeriSign\, Inc., Organisation Unit:Class 3 Public Primary Certification Authority |
| Protocols Supported | SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 |
| Protocol Fallback | N/A |
| Session Resumption | No |
| Secure Renegotiation | Yes |
| MAC Support | MD5 SHA1 SHA256 |
| Vulnerable to BEAST Attack | |
| Vulnerable to CRIME Attack | |
| Certificate | -----BEGIN CERTIFICATE-----
MIIHuTCCBqGgAwIBAgIQHcASSgJKLNbOiMlMDyTxzzANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDA5
MDAwMDAwWhcNMTUwNDA5MjM1OTU5WjCBhDELMAkGA1UEBhMCVVMxEzARBgNVBAgT
CkNhbGlmb3JuaWExEjAQBgNVBAcUCVN1bm55dmFsZTETMBEGA1UEChQKWWFob28g
SW5jLjEfMB0GA1UECxQWSW5mb3JtYXRpb24gVGVjaG5vbG9neTEWMBQGA1UEAxQN
d3d3LnlhaG9vLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6s
uU/Et+oKoW1Wq+5qJwYhjIJPYPy+q5KAoRFuNgGmGjvb8LnaVe2Rph0aWjC3XMkb
2wOPfOt0OlivD20I9XDTQu0c0c6s6te4QBC1IPMECn2MNKwFuuyEMTAHAE25xWS5
YZGuN+dOkWS8UWDSYbtaWEoFEK7IhIAwqtE3IU1GY6pbqjEugj5YdrOqubeR4iq/
jjyL5UAWus9vvpBAKuLnbW4NLLA5+kaDTIjq2xC1JYA6KWBAVSUa+sR/XekuGKxO
aTrLOzDpsuC6kXFttMsbDBMAURkfNmb78CIR797ZJL9T3aBslAwTUaEHJs+3nvQm
44ifn06Z9OePkEzKfzkCAwEAAaOCA/IwggPuMIICiwYDVR0RBIICgjCCAn6CDXd3
dy55YWhvby5jb22CCXlhaG9vLmNvbYIOaHNyZC55YWhvby5jb22CDHVzLnlhaG9v
LmNvbYIMZnIueWFob28uY29tggx1ay55YWhvby5jb22CDHphLnlhaG9vLmNvbYIM
aWUueWFob28uY29tggxpdC55YWhvby5jb22CDGVzLnlhaG9vLmNvbYIMZGUueWFo
b28uY29tggxjYS55YWhvby5jb22CDHFjLnlhaG9vLmNvbYIMYnIueWFob28uY29t
ggxyby55YWhvby5jb22CDHNlLnlhaG9vLmNvbYIMYmUueWFob28uY29tgg9mci1i
ZS55YWhvby5jb22CDGFyLnlhaG9vLmNvbYIMbXgueWFob28uY29tggxjbC55YWhv
by5jb22CDGNvLnlhaG9vLmNvbYIMdmUueWFob28uY29tghFlc3Bhbm9sLnlhaG9v
LmNvbYIMcGUueWFob28uY29tggxpbi55YWhvby5jb22CDHNnLnlhaG9vLmNvbYIM
aWQueWFob28uY29tghJtYWxheXNpYS55YWhvby5jb22CDHBoLnlhaG9vLmNvbYIM
dm4ueWFob28uY29tghFtYWt0b29iLnlhaG9vLmNvbYIUZW4tbWFrdG9vYi55YWhv
by5jb22CD2NhLm15LnlhaG9vLmNvbYIMZ3IueWFob28uY29tgg1hdHQueWFob28u
Y29tggxhdS55YWhvby5jb22CDG56LnlhaG9vLmNvbYIMdHcueWFob28uY29tggxo
ay55YWhvby5jb22CDWJyYi55YWhvby5jb22CDG15LnlhaG9vLmNvbYIQYWRkLm15
LnlhaG9vLmNvbTAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwQwYDVR0gBDwwOjA4BgpghkgBhvhFAQc2MCow
KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHwYDVR0j
BBgwFoAUDURcFlNEwYJ+HSCrJfQBY9i+eaUwRQYDVR0fBD4wPDA6oDigNoY0aHR0
cDovL1NWUlNlY3VyZS1HMy1jcmwudmVyaXNpZ24uY29tL1NWUlNlY3VyZUczLmNy
bDB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDovL1NWUlNlY3VyZS1HMy1haWEudmVy
aXNpZ24uY29tL1NWUlNlY3VyZUczLmNlcjANBgkqhkiG9w0BAQUFAAOCAQEAHzy1
b03TFWp7AmN64BC6RfSmR8qMR8AdE4jt574RNHKJkdJTVKrSxTwAt3DN5TC4oXlH
rrzrXEg3V77mG55VMCF/FwCt1htcuTuU0un+tQSpDUNsIDst0qflN7Ron/mG0XNT
SxVqIYTT8TaCzOMHq2FYVRJAIwDy77arqCzAXiMMXCNCxO7jLuX494sO7OP1jwty
3jAVIX+FR3pPqzo6mTgnESSUkJZWq8YHTdNf7C08YAOzZHgmqCL3jzxMQzF7Rmo4
IbTGacoUE4icAut/PJEY5idqNrprCtVPvGor0zD5MH3woWMuaEDYPcMlUtjau98U
vr0lTySbJpgsBBxRKw==
-----END CERTIFICATE----- |
| Web Server Checks | |
| Banner | ATS |
| Cookies with Issues | DNR :No 'Secure' flag :No 'HttpOnly' flag |
| Cache Settings | private Content caching allowed. |
| HSTS Header Setting | Valid for (maximum age) 0 seconds (0 hours). Low HSTS timeout value (one hour or less). |
| Other Security Related Headers | X-Frame-Options: DENY |
| Service (host:port) | www.lastpass.com:443 | Risk Level |
|---|
| Cipher Related Information | |
| SSL 2.0 Ciphers Supported | None |
| SSL 3.0 Ciphers Supported | DHE-RSA-AES256-SHA with a key length of 256 bits DHE-RSA-AES128-SHA with a key length of 128 bits RC4-SHA with a key length of 128 bits |
| TLS 1.0 Ciphers Supported | DHE-RSA-AES256-SHA with a key length of 256 bits DHE-RSA-AES128-SHA with a key length of 128 bits RC4-SHA with a key length of 128 bits |
| Preferred Ciphers | SSL 3.0: DHE-RSA-AES256-SHA (256 bits) TLS 1.0: DHE-RSA-AES256-SHA (256 bits) |
| Certificate Details | |
| Host IP Address | 128.121.22.187 |
| Host Name on the Certificate | *.lastpass.com |
| Certificate ID | X.509 Hex: 11210a690fb5d6187a5e5883833cdb1ccbb6 SHA-1 fingerprint: f9f2019beb5fd638b3f241adaf4b6b4c213c8885 Public Key Id: 59ca93645df4732965787ee333a8ec45ba73a45f |
| Issued To | Country: US, Organisation Unit: Domain Control Validated, Common Name: *.lastpass.com |
| Issued By | Organisation: AlphaSSL, Common Name: AlphaSSL CA - G2 |
| Alias Information | DNSname: *.lastpass.com DNSname: lastpass.com |
| Validity Information | Not Before: Tue Apr 08 18:22:02 UTC 2014 Not After: Sun Sep 18 18:12:44 UTC 2016 Valid. |
| Key Information | RSA with a key size of 2048 bits. |
| Key Purpose | TLS WWW Server. TLS WWW Client. |
| Signature Algorithm | RSA-SHA1 |
| Revocation Information | CRL Distribution Points: http://crl2.alphassl.com/gs/gsalphag2.crl |
| Self-signed Certificate | No |
| Wild Card Certificate | Yes |
| Trusted Certificate | Yes |
| Certificate Chain | 1 certificates in the chain. Next certificate in the chain: Serial Number (hex): 0400000000012f4ee13702 Validity: Wed Apr 13 10:00:00 UTC 2011 to Wed Apr 13 10:00:00 UTC 2022 Key details: RSA - Legacy (2048 bits) Signature Algorithm: RSA-SHA1 Certificate Authority (CA): TRUE Issuer: Country:BE, Organisation:GlobalSign nv-sa, Organisation Unit:Root CA, Common Name:GlobalSign Root CA |
| Protocols Supported | SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 |
| Protocol Fallback | N/A |
| Session Resumption | Yes |
| Secure Renegotiation | Yes |
| MAC Support | SHA1 SHA256 |
| Vulnerable to BEAST Attack | Yes |
| Vulnerable to CRIME Attack | No |
| Certificate | -----BEGIN CERTIFICATE-----
MIIEtDCCA5ygAwIBAgISESEKaQ+11hh6XliDgzzbHMu2MA0GCSqGSIb3DQEBBQUA
MC4xETAPBgNVBAoTCEFscGhhU1NMMRkwFwYDVQQDExBBbHBoYVNTTCBDQSAtIEcy
MB4XDTE0MDQwODE4MjIwMloXDTE2MDkxODE4MTI0NFowSTELMAkGA1UEBhMCVVMx
ITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDEXMBUGA1UEAxQOKi5s
YXN0cGFzcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC8yh2X
puB/PRPCxOR6T0z2uTzQXwX3ZWrySx5JAg3bGMjnYmMcHATlhbYoWV2vFMh+tBZW
GXdpRAbqsL4Zuu/XoQYEF8k2hqUt0ou/skRQfx8ps058bqakrcNLqzCsv0QGa7NC
OCM8gbyFrlzRWeeMUSOw8VyV9kzQhYUjce5NHK+DviNAT6Y9mQvULwi4XBIkZOEa
UHjkHbOHRQYDoOskTny6c6tZhTz3XjP7vvR2IOyR4poCybF8tauvlicQZcQw7IRx
+4lEh79JIm0QmqE51WsGUTAc598q9ctdHfyNhfUjt8IpZ+JaaGT0AzbNN6RunoXa
MfEb8roT5zmtphjDAgMBAAGjggGvMIIBqzAOBgNVHQ8BAf8EBAMCBaAwSQYDVR0g
BEIwQDA+BgZngQwBAgEwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFs
c2lnbi5jb20vcmVwb3NpdG9yeS8wJwYDVR0RBCAwHoIOKi5sYXN0cGFzcy5jb22C
DGxhc3RwYXNzLmNvbTAJBgNVHRMEAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3JsMi5hbHBoYXNzbC5j
b20vZ3MvZ3NhbHBoYWcyLmNybDB/BggrBgEFBQcBAQRzMHEwPAYIKwYBBQUHMAKG
MGh0dHA6Ly9zZWN1cmUyLmFscGhhc3NsLmNvbS9jYWNlcnQvZ3NhbHBoYWcyLmNy
dDAxBggrBgEFBQcwAYYlaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzYWxw
aGFnMjAdBgNVHQ4EFgQUxJGoend6Sd1nUO5eJp2QWp5PTgcwHwYDVR0jBBgwFoAU
FOoZVfAODTLGH3Qzt45mGkwSMR4wDQYJKoZIhvcNAQEFBQADggEBAH7ZRb6ed/yX
3GwXM9Dsz9mQYMJye3jDjDSt7nILb4GzFfF22uGxkvFwfx0cfxJ5hBo2vV6az/Js
Fw/yDk/H34AI7JZo41eJE6Bi4bXjIo4tw9BgMfS80n6uoVnCXURqAKABW5lu/MSM
svy0bo3Dd7E/sbkjvUEn1RAbu38dAUiX2e6ltrjx2adbJBaMUVFMZGrrIuderrwN
ag2pMZakDPewmRO9i9z99Bo8c0X9giEQsZzarRD7l6WOod3ZpVGSTmolzWZzM1Ik
3ft2mSykWMofShwrjiHIu/7J6J9A1iUa7ieK2B3AGYBic3X5SPfU8306tj7//dj3
gso5U6/XZkk=
-----END CERTIFICATE----- |
| Web Server Checks | |
| Banner | LastPass |
| Cookies with Issues | lang :No 'Secure' flag :No 'HttpOnly' flag |
| Cache Settings | Caching directives not present. Content caching allowed. |
| HSTS Header Setting | Not Enabled |
| Other Security Related Headers | X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Content-Security-Policy: default-src 'self' ; img-src 'self' https://lastpass.com data: http://www.google-analytics.com https://ssl.google-analytics.com https://www.google-analytics.com https://img.youtube.com; object-src 'self' http://*.googlevideo.com http://*.youtube.com https://*.youtube.com http://*.ytimg.com https://*.ytimg.com http://www.google.com http://youtube.googleapis.com; connect-src 'self' https://*.lastpass.com wss://*.lastpass.com ; style-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.stripe.com https://*.lastpass.com ; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.lastpass.com https://www.youtube.com https://*.ytimg.com https://*.stripe.com ; font-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.stripe.com https://*.lastpass.com ; frame-src 'self' https://www.youtube.com https://*.ytimg.com https://ssl.gstatic.com https://www.google.com https://www.youtube.com X-Content-Security-Policy: allow 'self' https://*.stripe.com 'self' https://*.lastpass.com wss://*.lastpass.com ; img-src 'self' https://lastpass.com data: http://www.google-analytics.com https://ssl.google-analytics.com https://www.google-analytics.com https://img.youtube.com; object-src 'self' http://*.googlevideo.com http://*.youtube.com https://*.youtube.com http://*.ytimg.com https://*.ytimg.com http://www.google.com http://youtube.googleapis.com; frame-src 'self' https://www.youtube.com https://*.ytimg.com https://ssl.gstatic.com https://www.google.com https://www.youtube.com ; options inline-script eval-script |
| Preference Given to RC4 Ciphers |
|---|
| Description: |
| The SSL server gives preference to RC4 based ciphers that are weak. |
| Recommendation: |
| It is recommended to enable support for TLS 1.1 and TLS 1.2 protocols and give preference to stronger ciphers based on AES. |
| References: |
| N/A |
| Session Resumption NOT Supported |
|---|
| Description: |
| The SSL service was found not supporting SSL/TLS session resumption. |
| Recommendation: |
| It is recommended to enable support for session resumption to improve the performance of the SSL service. |
| References: |
| http://www.linuxjournal.com/article/5487 |
| Support for MD5 MAC Enabled |
|---|
| Description: |
| The SSL service supports MD5 MAC that is weak. |
| Recommendation: |
| It is recommended to disable the support for MD5 MAC and only support MAC based on SHA. |
| References: |
| N/A |
| Incorrect Cache Control Directives |
|---|
| Description: |
| Cache controls directives were not set properly |
| Recommendation: |
| Set cache directives to "no store, no cache" to prevent all browsers caching the information in the page. |
| References: |
| N/A |
| HSTS Header NOT Enabled |
|---|
| Description: |
| The HSTS (HTTP Strict Transport Security) header was not enabled. This header forces the client browser to use only HTTPS and thus improves the overall security of the application. It helps mitigate SSL stripping type of attacks. |
| Recommendation: |
| It is recommended to set the HSTS header with an appropriate timeout value based on the sensitivity of the onformation. |
| References: |
| N/A |
| Cookie - Secure Flag Not Set |
|---|
| Description: |
| The cookies set by the web server were missing 'Secure' flag. If the secure flag is not set, then the cookie will be transmitted in clear-text when the user visits any HTTP URLs within the cookie's scope and can be trivially intercepted. |
| Recommendation: |
| It is recommended to set 'Secure' flag if the cookie contains any sensitive information. |
| References: |
| https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 |
| Cookie - HttpOnly Flag Not Set |
|---|
| Description: |
| The cookies set by the web server were missing 'HttpOnly' flag. This could prevent any attempts of a JavaScript from accessing its content, which could mitigate cross site scripting attacks to a certain level. |
| Recommendation: |
| It is recommended to set 'HttpOnly' flag if the cookie contains any sensitive information. |
| References: |
| https://www.owasp.org/index.php/Testing_for_cookies_attributes_%28OWASP-SM-002%29 http://www.owasp.org/index.php/HttpOnly |
| Low HSTS Header Timeout Value |
|---|
| Description: |
| The timeout value set on the HSTS header was found to be small. |
| Recommendation: |
| It is recommended to increase the timeout value to a reasonable level. |
| References: |
| N/A |
| Use of Wild Card Certificate |
|---|
| Description: |
| During the test, a wildcard certificate was found to be in use on the server. Wildcard certificates should be avoided due to the risks involved in using them.
Some of the disadvantages / risks of using wildcard certificates are - Security: If one server or sub-domain is compromised, all sub-domains may be compromised. - Management: If the wildcard certificate needs to be revoked, all sub-domains will need a new certificate. - Compatibility: Wildcard certificates may not work seamlessly with older server-client configurations. - Key Management: The private key should be copied to all servers and any insecure practice can lead to a compromise of all the servers using the certificate. |
| Recommendation: |
| It is recommended to use individual certificates for each subdomain to limit the level of compromise and improve the overall security of the infrastructure. |
| References: |
| N/A |
| Vulnerable to BEAST Attack |
|---|
| Description: |
| The SSL service on the web server might be vulnerable to BEAST attack. The SSL service has no support for TLS 1.1 or TLS 1.2 protocols and has higher priority (preferred ciphers) for block ciphers. The BEAST attack exploits a vulnerability in the way block ciphers are used in the SSL 3.0 and TLS 1.0 protocols. Due to this, a Man-in-the-Middle attack is possible which can be used to obtain plaintext HTTP headers from the encrypted tunnel. Stream ciphers are not vulnerable to this attack as they work in a completely different way. |
| Recommendation: |
| To mitigate this risk enable support only for TLS 1.1 and TLS 1.2 protocols as these are not vulnerable to this attack. The compatibility of the server and the client should be checked before enabling support for these protocols as many of the clients don't support these protocols. If the clients are not compatible, a workaround procedure is available. It involves giving lower priority to all the block ciphers and giving higher priority to stream ciphers (RC4) though they are not cryptographically as strong as block ciphers. |
| References: |
| http://www.phonefactor.com/resources/CipherSuiteMitigationForBeast.pdf
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389 http://www.kb.cert.org/vuls/id/864643 |