Monday, April 27, 2015

Web site infrastructure security

Google Chrome has started to show sites that still uses the old SHA-1 cipher as not verified.


Sites with SSL certificates that expire before January 1, 2016 won’t be affected, but sites with certificates that expire later will need to have their certificates reissued.

Early 2015 – Chrome 41: Sites with end-entity certificates that expire between 1 January 2016 and 31 December 2016 (inclusive), and which include a SHA1-based signature as part of the certificate chain, will be treated as “secure, but with minor errors”.
Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”. The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.”

Last month we had an issue with a customer site regarding this issue and some others more concerning issues. It all started as the customer had some unwanted publicity when the site was rated F by the ssllabs validation tool. It turns out that the infrastructure guys had missed was to turn on TLS 2.0 support and to disable the SSL V1-V3 and RC4 cipher on the web front servers and for the load balancers that terminates the SSL traffic. Along with a weak SSL certificate that uses SHA-1. This was bad news, but also things that where very easily fixed and the customer is at a considerable better, A- rating.

The remedies for this is to

There are more things you can do proactively to protect your sites. Some things must be dealt by the IT org. but some things can be done on the servers.

Check out this links:

PEN test your site

Other PEN testing tools

PEN test the infrastructure


Is a great resource for web security. Here you can find almost everything you'l ever need regarding web security.

Cheat sheet

And Troy Hunt has a great Plurar sigth course, top 10 ASP.NET list to check

This is how you disable exessivve response headers

  <httpRuntime enableVersionHeader="false" />

The MVC version is also easy, although it does require us to touch code. Over in the Global.asax, we want to jump into the Application_Start event and add the following:

MvcHandler.DisableMvcResponseHeader = true;

I hope these tips can help you get a more secure site.