Tests and other Media topics

[Para-Noid]

Common Website Security Terminology Defined

https://blog.sucuri.net/2015/07/common-website-security-terminology-defined.html?utm_campaign=Common%20Website%20Security%20Terminology%20Defined%20Blogpost&utm_medium=social&utm_source=googleplus

WP-CLI Guide: Secure WordPress Backup and Update

https://blog.sucuri.net/2015/07/wp-cli-guide-secure-wordpress-backup-update.html?utm_campaign=WP-CLI%20Guide%3A%20Secure%20WordPress%20Backup%20and%20Update&utm_medium=social&utm_source=googleplus

[polonus]

A question to the forum users,
Who uses the wonderful protection of uMatrix extension inside Google Chrome or inside Firefox?

It keeps you in full control of where your browser is allowed to connect for all domains, the present domain, and for all third party domains (some domains are blocked as by default like google.analytics etc. etc.) You can toggle for blocking/unblocking per cookie, css, image, plug-in, script, XHR, frame, others. Red is blocked and green is allowed to connect. You can turn the filtering off per website. You can save all temp. changes for a website or delete such temp. settings. Renew the page from inside uMatrix. Visit the logger.
You can set spoofing for agent (on/off), referer spoofing (on/off)and strict HTTPS (on/off). You can delete all temp. changes to the default settings under + or g to the dashboard. You can change settings for visibility, use block lists, use your own permanent and temp. filters. I think it is so versatile anyone can learn to use it and even as per default it gives loads of protection.

Like to hear your reactions,

polonus

[Lisandro]

A question to the forum users,
Who uses the wonderful protection of uMatrix extension inside Google Chrome or inside Firefox?

I use.

[Para-Noid]

The Business of Security: The Nitty Gritty of Running a Multi-Million Dollar Business

http://www.slideshare.net/SucuriSecurity/the-business-of-security-the-nitty-gritty-of-running-a-multimillion-dollar-business?utm_campaign=The%20Business%20of%20Security%3A%20The%20Nitty%20Gritty%20of%20Running%20a%20Multi-Million%20Dollar%20Business%20Slideshare&utm_medium=social&utm_source=googleplus

[polonus]

HTML5 Canvas Fingerprinting test: https://www.browserleaks.com/canvas
On the project: https://github.com/Valve/fingerprintjs
See how it is supported in the browser: http://caniuse.com/#search=canvas
Test: http://www.html5accessibility.com/tests/canvas.html
Protection: http://fingerprint.pet-portal.eu/?menu=6  and now also via Privacy Badger extension.

Quite annother form of Figerprinting: https://www.grc.com/fingerprints.htmDomain Name   Certificate Name   EV   Security Certificate's Authentic Fingerprint   Click to view complete certificate chain
forum.avast.com   *.avast.com   —   DF:57:EC:1C:3A:4D:EE:B2:55:46:5F:26:08:0B:8E:92:74:4A:D8:00

Test the uniqueness of your browser and what it revealse: https://panopticlick.eff.org/index.php?action=log&js=yes
See Content Filtering and Proxy Detection in my browser attached.

polonus

[polonus]

Hi folks,
Quote taken from browserleaks

Disable WebRTC in Chrome
WebRTC in Google Chorme is supported and enabled by default since Chorme version 23 (and based on it, ex. Opera, Vivaldi).

Bad news:

You CAN'T turn off WebRTC on desktop version of Google Chrome, Disable WebRTC flag is available only on Android.

Good news:

There is a Chrome Extension: WebRTC Block.

Extension hides your public IP when you're behind VPN. It will leak only VPN's public IP, but not your real provider IP address! Extension also hides your Local/NAT IP addresses.

Unfortunately, if you're behind proxy but not VPN, WebRTC Block will not help you.

I can't do anything, and no one can. This piece of the periodic table is ****ed by design. So PLEASE stop insulting me on mail and webstore that it's "NOT WORKING !!!"

Just use FF. There is no drama.

This is further proof for me that the Google Chrome browser  is one giant tracking machine by default -
Looking at the extension the developer of it states:

Disable WebRTC in Your Web Browser!
At the moment, there is no way to completely  Block WebRTC in Google Chrome.

I should say sorry, but I cant just rename the extension.

Google Chrome is putting some individuals at risk here, read: https://productforums.google.com/forum/#!topic/chrome/QN7jleWJawY

But this works, alas not on Android, go to address bar and type chrome://flags/#disable-webrtc

polonus

[bob3160]

Hi folks,

(Snip)

polonus

More information and a discussion on this topic at:
https://code.google.com/p/chromium/issues/detail?id=333752

[polonus]

Are you safe via a VPN, test here : https://www.privacytools.io/webrtc.html
I was secure here: https://frankfurt-s02-i01.cg-dialup.net/go/browse.php?u=https://www.privacytools.io/webrtc.html&b=7&f=norefer
Read here why users should use firefox rather than chrome: https://www.privacytools.io/#webrtc

polonus

[polonus]

When you detect website malware every day all of the day, like I do, I'd also like to test a domainn for SSL Protocol Support.
We can test here: https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=m-pathy.com
Nice candidates for weaknesses are to be found here: https://www.eff.org/https-everywhere/atlas/domains/m-pathy.com.html
That is why I haven't set hhtps as per default.
Browser JSGuard is an extension that will alert you when your log-in data go in plain txt over the wire.
For instance what is wrong here: https://www.m-pathy.com/
Well let us start here and that is not encouraging:
HTTP Server: Apache HTTP Server 2.4.10
PHP Version: 5.3.26 (Outdated)

The protocol settings:
Protocol   Status   Recommendation
SSLv2   SSLv2 is Disabled   SSLv2 is weak and should be disabled. More information.
SSLv3   SSLv3 is Disabled   Consider disabling SSLv3 to mitigate the POODLE attack. Should be disabled for PCI DSS 3.1 Compliance
TLSv1   TLSv1 is Enabled   TLSv1 may be enabled for existing implementations, however PCI DSS 3.1 § 2.2.3 states that: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS
TLSv1.1   TLSv1.1 is Enabled   TLSv1.1 may be enabled for existing implementations, however PCI DSS 3.1 § 2.2.3 states that: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. Prior to this date, existing implementations that use SSL and/or early TLS must have a formal Risk Mitigation and Migration Plan in place. Effective immediately, new implementations must not use SSL or early TLS. Some assert that the term early TLS includes both TLS 1.0 and 1.1, check with your PCI QSA.
TLSv1.2   TLSv1.2 is Enabled   TLS 1
Certicate problem for one IP: https://www.ssllabs.com/ssltest/analyze.html?d=m-pathy.com
E-commerce Safety Information
Transaction Protection
Certified SSL is used to encrypt transactions
SSL Issuer: AlphaSSL CA - SHA256 - G2
SSL Expires: 2018-02-19 01:26:54 UTC
See also: http://toolbar.netcraft.com/site_report?url=https://www.m-pathy.com

polonus

[bob3160]

Most people, unless like you they are looking for malware, hardly ever "run into it" provided the are reasonably protected.
I haven't received a warning about running into a malicious website or an infection in a very, very long time.

[polonus]

Hi bob3160,

When you are surfing with Google Chrome you often run into SSL sites that do not have the full green padlock.
You´d never click the yellow triangle showing there is also insecure content on a site that does not go via ssl. 
I often still see a lot of sites like this for instance : IEEE Xplore Abstract - Browser JS Guard: Detect... padlock icon
ieeexplore.ieee.org
Alerts (1)
Insecure login (1)
Password will be transmited in clear to http://ieeexplore.ieee.org/servlet/LoginModalController

When the green padlock is missing and I see such red alerts and I investigate and other users should also hesitate and check what they are going to do there and whether their info is safe going to that site or log-in.

polonus

[bob3160]

It isn't green but I still visit the site. As you know, I don't put my system through all the hoops you do.

[polonus]

Hi bob3160,

It is not about going through hoops, I do all this as a volunteer forum member to detect insecurities and report them to Avast so the Avast team may protect all of their users better and I found quite something up over the last few years.

I am far from expecting the average user to do similar things. This thread is meant for people that are in website scanning, website owners, security analysts, hosters, and a couple of other enthusiasts here on the forums.

I do not say you have to go to sites like I do and with the suspicion and the experience I have stashed at the back of your mind, no-way, that is just for website analysts and other forum users here that like the subject.

But I should like it a lot for the average user to become just a little tad more aware and concerned. Do not just trust all you were being told, because all you are being told is not always the truth where website security is concerned. Our forum member, Para-Noid, would say: `It is secure only what you have tested to be secure!´.

Damian

[polonus]

"There is another obscure way of tracking users without using cookies or even Javascript."
Read about this and test here:
"http://lucb1e.com/rp/cookielesscookies/"
This is stopping "this 'phorming": https://www.dephormation.org.uk/index.php?page=81

polonus

P.S. The main reason for this test was to promote self-desrructing cookies like with Crunch etc.

D

[Para-Noid]

Persistent XSS Vulnerability in WordPress Explained

https://blog.sucuri.net/2015/08/persistent-xss-vulnerability-in-wordpress-explained.html?utm_campaign=Persistent%20XSS%20Vulnerability%20in%20WordPress%20Explained%20Blogpost&utm_medium=social&utm_source=googleplus