Author Topic: You would not expect this for a browser makers' site  (Read 2365 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
You would not expect this for a browser makers' site
« on: May 22, 2019, 09:53:54 PM »
 :o Outdated Word Press version:  WordPress Version
4.9.6 Version does not appear to be latest - update now.

Security Checks for https://ghostbrowser.com
(4) Domain at risk of being hijacked
(5) Susceptible to man-in-the-middle attacks
Vulnerable to cross-site attacks
(2) Emails can be fraudulently sent
(2) Unnecessary open ports
DNS is susceptible to man-in-the-middle attacks

They may be tracking blocking experts, but not builders of secure websites, see:
https://webhint.io/scanner/f59e16f7-0dd2-4ec4-8dcb-b1cc6ef59b2c  548 recommendations towards improvement,
also security related hints.... what that means for their browser's best policies? ::)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DevSecOps

  • Newbie
  • *
  • Posts: 2
Re: You would not expect this for a browser makers' site
« Reply #1 on: June 05, 2019, 03:17:10 PM »
I cannot believe that my favourite mozilla browser is garbage. See https://webhint.io/scanner/71910961-e6ca-48c2-8517-5d6e7dce3210 , there are 145 hints and 3/10 security tests passed.

Another test is for AU wordpress, https://webhint.io/scanner/55821b9d-8c4f-4969-8f3c-10c5dd101f59 , 129 hints and just 4 sec tests passed out of 10. How come? webhint is just useless tool.

If you want to check security hire certified pentester or use sucuri site check.
Another good tools is trustwave scanner.
Performance metrics are better to get from google pagespeed test.


Offline JRW

  • Newbie
  • *
  • Posts: 1
Re: You would not expect this for a browser makers' site
« Reply #2 on: June 05, 2019, 03:19:16 PM »
According to webhint there are no vulnerabilities on ghostbrowser site. There are just hints and most of them are related to Google analytics and similar well-known tools and not to a site. And hints mentioned on webhunt site appear on all and every site you scan with it.
As we can see, webhint.io produces TONS of false positives, so can't be trusted as a proper tool. It shows 217 "hints" for youtube.com https://webhint.io/scanner/87bd37f6-f848-416d-b49c-0f83874940d1. So, 548 "hints" it shows for ghostbrowser.com make us proud, really.
Please, provide a proof of the concept of MITM attack vulnerabilities caused by our website that you mentioned in your comment.  :o

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: You would not expect this for a browser makers' site
« Reply #3 on: June 05, 2019, 03:28:37 PM »
Have you reported the possible false positive to Avast ???

Report a URL
https://www.avast.com/report-a-url.php
(polonus is an Avast user, not an Avast rep. or employee.)
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: You would not expect this for a browser makers' site
« Reply #4 on: June 05, 2019, 07:13:47 PM »
Hi JRW & bob3160,

Don't shoot the messenger.    :)

This is not my opinion or saying avast is flagging, it is just passing the scan results of this linting tool.
I did never point out the site is malicious or suspicious just that it stays open to improvement  ;)

Let's do some other scans just to see how this sticks or not.
The next scanner is reliable: https://app.upguard.com/#/https://ghostbrowser.com/

Here also site does not reach beyond F-grade results: https://observatory.mozilla.org/analyze/ghostbrowser.com
I grade here: https://observatory.mozilla.org/analyze/ghostbrowser.com#tls
F-grade results here: https://securityheaders.com/?followRedirects=on&hide=on&q=ghostbrowser.com
Site doesn't issue an HSTS header.

Moreover I have seen tons of websites after doing this for over fourteen years now,
and I am not specially impressed by Word Press CMS security,
where plug-ins and configuration settings are involved, not to mention this site in particular, settings are OK.

The CMS is PHP based, and we all know what kettle of worms PHP coding could be for the PHP-HTML-coder
wrought without dependency injection.

Moreover 2 vulnerable retirable JQuery libraries detected here:
https://retire.insecurity.today/#!/scan/4fe75f7d18a53fbf154854c40c86bd08fa17b3ec23b522a45f79f5b502e48fdd

Some will thank me for exploring the weaknesses in their site's code, some go into denial mode and won't accept advise,
others use it to their advantage, what you will do, that's up to you,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: You would not expect this for a browser makers' site
« Reply #5 on: June 05, 2019, 08:29:44 PM »
Ultimately, Avast makes the final decision once they analyse the site that's been reported to them.



Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline DevSecOps

  • Newbie
  • *
  • Posts: 2
Re: You would not expect this for a browser makers' site
« Reply #6 on: June 05, 2019, 10:33:49 PM »
Hi JRW & bob3160,

Let's do some other scans just to see how this sticks or not.
The next scanner is reliable: https://app.upguard.com/#/https://ghostbrowser.com/

Here also site does not reach beyond F-grade results: https://observatory.mozilla.org/analyze/ghostbrowser.com
I grade here: https://observatory.mozilla.org/analyze/ghostbrowser.com#tls
F-grade results here: https://securityheaders.com/?followRedirects=on&hide=on&q=ghostbrowser.com
Site doesn't issue an HSTS header.

Moreover I have seen tons of websites after doing this for over fourteen years now,
and I am not specially impressed by Word Press CMS security,
where plug-ins and configuration settings are involved, not to mention this site in particular, settings are OK.

The CMS is PHP based, and we all know what kettle of worms PHP coding could be for the PHP-HTML-coder
wrought without dependency injection.

Moreover 2 vulnerable retirable JQuery libraries detected here:
https://retire.insecurity.today/#!/scan/4fe75f7d18a53fbf154854c40c86bd08fa17b3ec23b522a45f79f5b502e48fdd

Some will thank me for exploring the weaknesses in their site's code, some go into denial mode and won't accept advise,
others use it to their advantage, what you will do, that's up to you,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Thanks for the link to upguard. I did not use this tool before. Provided info there may be useful at some point.

As for wordpress and PHP I totally agree. It is full of bad code and there are a lot of vulnerable plugins even on official store. But on the other hand, it is sometimes better to stay on old non vulnerable version of something, rather than upgrade to the latest and then find that your site is hacked  :-\

Also I want to add that a lot of companies like Sony, Comcast, AT&T have wordpress portals for different products and they do not maintain them. They use some third party companies for such small projects.

And final thing! When you think you discovered some bad stuff somewhere on a site and you are a good person, it is always better to first write about it to admin@ , postmaster@, webmaster@ emails with a domain rather than shout everywhere what you've found  ;)

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: You would not expect this for a browser makers' site
« Reply #7 on: June 05, 2019, 11:20:44 PM »
Hi JRW & bob3160,

Let's do some other scans just to see how this sticks or not.
The next scanner is reliable: https://app.upguard.com/#/https://ghostbrowser.com/

Here also site does not reach beyond F-grade results: https://observatory.mozilla.org/analyze/ghostbrowser.com
I grade here: https://observatory.mozilla.org/analyze/ghostbrowser.com#tls
F-grade results here: https://securityheaders.com/?followRedirects=on&hide=on&q=ghostbrowser.com
Site doesn't issue an HSTS header.

Moreover I have seen tons of websites after doing this for over fourteen years now,
and I am not specially impressed by Word Press CMS security,
where plug-ins and configuration settings are involved, not to mention this site in particular, settings are OK.

The CMS is PHP based, and we all know what kettle of worms PHP coding could be for the PHP-HTML-coder
wrought without dependency injection.

Moreover 2 vulnerable retirable JQuery libraries detected here:
https://retire.insecurity.today/#!/scan/4fe75f7d18a53fbf154854c40c86bd08fa17b3ec23b522a45f79f5b502e48fdd

Some will thank me for exploring the weaknesses in their site's code, some go into denial mode and won't accept advise,
others use it to their advantage, what you will do, that's up to you,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Thanks for the link to upguard. I did not use this tool before. Provided info there may be useful at some point.

As for wordpress and PHP I totally agree. It is full of bad code and there are a lot of vulnerable plugins even on official store. But on the other hand, it is sometimes better to stay on old non vulnerable version of something, rather than upgrade to the latest and then find that your site is hacked  :-\

Also I want to add that a lot of companies like Sony, Comcast, AT&T have wordpress portals for different products and they do not maintain them. They use some third party companies for such small projects.

And final thing! When you think you discovered some bad stuff somewhere on a site and you are a good person, it is always better to first write about it to admin@ , postmaster@, webmaster@ emails with a domain rather than shout everywhere what you've found  ;)
Giving another user advice isn't going to solve your problem, only reporting the problem to Avast will accomplish that.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: You would not expect this for a browser makers' site
« Reply #8 on: June 06, 2019, 04:14:06 PM »
Hi bob3160,

What you need a support forum for if you cannot discuss insecurity on websites?
Because those involved are not satisfied with anything under A qualty and everything on your site is hunky dorey.

Just report and your done, uh?
Why have qualified malcode removers here? According to bob3160, do we really need them?

Now do we all favor "security through obscurity" and not go for responible disclosure from public scan results to educate,
in order make websites in a more decent, more professional and more secure way?

How could other web developers learn to do a better job - coding secure, when tey arent told what's wrong?

Or do we live in a world where all insecurity on the infrastructure is kept silent about?
The end-users does not have a need to know basis for what he/she/it is being set out against.
Do we want to live on a completely holed Interwebz forever?

Those with relevant knowledge do not count
and those that take decisions do not posess sufficient relevant knowledghe about website security.
Their only interest is profit optimization at lowest cost as possible.

Security as a last resort issue and not educating web developmers
and wesite admins to do a more solid and more secure job is not the world I live in.

What you also misunderstood before you came swanning in on this thread
is that there is as yet nothing to report about that site to avast's team members.

I just passed open public scan results gained from public cold reconnaissance scans to come to a more secure site.

How would avast whitelist that site any further as it is already whitelisted, but could be created with best policies?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48523
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: You would not expect this for a browser makers' site
« Reply #9 on: June 06, 2019, 05:33:42 PM »
@polonus,
My comment wasn't directed at you. 😊
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: You would not expect this for a browser makers' site
« Reply #10 on: June 06, 2019, 05:56:04 PM »
OK, bob3160,

Just trying to arouse a bit of awareness. We both do our part in the way as best suited for each of us.
Always ready to share best policies, best protocols, best Internet and security practices.
You do your part and I do it as best we can.

Appreciate that.

The two of us seek constantly to further the avast mission, and for me that's a pleasure. ;)
Thanks to avast we have a platform to do that, and they arouse great inspiration. 
All I learned in that respect was by taking that first step and join the avast forum ranks.

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!