Author Topic: SSL verification issue and CMS insecurity on security website?  (Read 1512 times)

0 Members and 1 Guest are viewing this topic.

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32951
  • malware fighter
Where I stumbled upon the website initially? Here, see: //www.eff.org/https-everywhere/atlas/domains/m-privacy.de.html
Domain Name: -m-privacy.de
URL Tested: -https://m-privacy.de
Number of items downloaded on page: 231
And what we have found there in realms of insecurity;

   SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify m-privacy.de's certificate, issued by '/C=PL/O=Unizeto Technologies S.A./OU=SpaceSSL Certification Authority/CN=SpaceSSL CA': Unable to locally verify the issuer's authority.

Secure calls made to other websites:
-www.m-privacy.de SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify -www.m-privacy.de's certificate, issued by '/C=PL/O=Unizeto Technologies S.A./OU=SpaceSSL Certification Authority/CN=SpaceSSL CA':

-piwik.m-privacy.de SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify -piwik.m-privacy.de's certificate, issued by '/C=PL/O=Unizeto Technologies S.A./OU=SpaceSSL Certification Authority/CN=SpaceSSL CA':


Certificate is installed correctly
m-privacy.de
This is not a Symantec certificate.
Please contact the Certificate Authority for further verification.
Info
BEAST
The BEAST attack is not mitigated on this server.
Certificate information
Common name:
 *.m-privacy.de
SAN:
 m-privacy.de, *.m-privacy.de
Valid from:
 2015-Apr-30 11:12:27 GMT
Valid to:
 2017-Apr-29 11:12:27 GMT
Certificate status:
 Valid
Revocation check method:
 CRL
Organization:
 
Organizational unit:
 
City/locality:
 
State/province:
 
Country:
 DE
Certificate Transparency:
 Not embedded in certificate
Serial number:
 1bf084cbd82cd685d3786422eef589a6
Algorithm type:
 SHA256withRSA
Key size:
 4096
Certificate chainShow details
Certum Global Services CA SHA2Intermediate certificate
SpaceSSL CAIntermediate certificate
*.m-privacy.deTested certificate
Server configuration
Host name:
 www1.m-privacy.de
Server type:
 Apache
IP address:
 85.214.254.135
Port number:
 443
Protocols enabled:
TLS1.2
TLS1.1
TLS1.0
Protocols not enabled:
SSLv3
SSLv2
Secure Renegotiation:
 Enabled
Downgrade attack prevention:
 Enabled
Next Protocol Negotiation:
 Not Enabled
Session resumption (caching):
 Enabled
Session resumption (tickets):
 Enabled
Strict Transport Security (HSTS):
 Enabled (max-age=15552000)
SSL/TLS compression:
 Not Enabled
Heartbeat (extension):
 Enabled
RC4:
 Not Enabled
OCSP stapling:
 Not Enabled

Vulnerabilities checked:
Heartbleed
Poodle (TLS)
Poodle (SSLv3)
FREAK
BEAST
CRIME

Re: http://toolbar.netcraft.com/site_report?url=https://www.m-privacy.de

WordPress plug-in outdated: WordPress Plugins
The following plugins were detected by reading the HTML source of the WordPress sites front page.

wp-retina-2x 4.5.0   latest release (4.5.5) Update required
http://apps.meow.fr

Warning User Enumeration is possible
The first two user ID's were tested to determine if user enumeration is possible.

ID   User   Login
1   None   verwalter
2      None
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Would not expect such CMS configuration incompetence here  :o

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32951
  • malware fighter
Re: SSL verification issue and CMS insecurity on security website?
« Reply #1 on: July 08, 2016, 07:31:39 PM »
For references visit this site courtesy of Hanno Böck
-> https://fancyssl.hboeck.de/
Right configuration comes together with the right security headers enabled.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!