[ZendTo] XSS

Der PCFreak mailinglists at pcfreak.de
Thu Mar 3 07:07:43 GMT 2016 

Hi,

just for information, I got an A+ for my ZendTo installation at 
https://www.ssllabs.com/ssltest/index.html with this settings in my ssl.conf

   #/etc/httpd/conf.d/ssl.conf
   SSLProtocol all -SSLv2 -SSLv3
   SSLHonorCipherOrder on
   SSLCipherSuite 
ALL:!RC4:!MD5:!ADH:!EXP:!SSLv2:!LOW:!IDEA:RSA:+HIGH:+MEDIUM

This will disable nearly all weak cipher suites, only the ones needed 
for older Internet Explorers (IE8 on XP) will be in.
Maybe change this next year? To verify your “SSLCipherSuite” string you 
can use the following command:

   #> openssl ciphers -v 
'ALL:!RC4:!MD5:!ADH:!EXP:!SSLv2:!LOW:!IDEA:RSA:+HIGH:+MEDIUM'

It will print out a list of all ciphers that the above line allows in 
the order specified!


I also enabled HSTS with this setting in ssl.conf (29376000 = 350 days)

   #/etc/httpd/conf.d/ssl.conf
   # enable HSTS (client will automatically choose https in the future 
if once connected via https
   <IfModule headers_module>
           Header always set Strict-Transport-Security "max-age=29376000"
   </IfModule>

Kind regards and @Jules thanks again for the good work and all other 
contributors.

PCFreak



On 03.03.2016 00:37, Kevin Miller wrote:
>> P.S. Sorry I haven't done an update in *ages*. 2 questions:
>> (1) What other outstanding bugs/patches are there?, and
>> (2) Is it worth me re-writing the areyouahuman CAPTCHA
>> code for their new one, or is everyone happy with the Google
>> one (reCAPTCHA) that is there already?
> Not sure about bug patches in zendto, but of late there are some significant issues regarding web server security, if you'll indulge a bit of slightly off-topic traffic.
>
> A new attack makes all servers running SSLv2 vulnerable.
> Info on the latest attack can be had here:
>    https://drownattack.com/
>    http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
> Note that the attack works even if SSLv2 is "soft disabled" by disabling all SSLv2 ciphers.
>
> To check for other vulnerabilities, run the tests at :
>    https://www.ssllabs.com/ssltest/index.html
>
> For fixes, see:
>    http://blog.rlove.org/2013/12/strong-ssl-crypto.html
>
> Regarding AreYouAHuman, I just rolled back to reCaptcha.  Options are nice, but the reCaptcha isn't nearly as odious as it was in the past.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

More information about the ZendTo mailing list