Security related issues with the website tengine.taobao.org

t8e9dugd  于 4个月前  发布在  其他
关注(0)|答案(1)|浏览(35)
  1. Your website doesn't redirect to HTTPS (it really should). This means if a user enters http://tengine.taobao.org , and then heads to the download page they're downloading the tarballs through a plain-text connection that could be modified. Preferably it should only support TLS 1.2 and 1.3+ as TLS 1.1 and earlier are deprecated.
  2. You've only got MD5 sums on the download page. Really you should only be using SHA256, SHA512, or SHA3.
  3. You should also be signing these with PGP and releasing detached signatures with each release.
  4. MD5 should not be used to guarantee any kind of authenticity.

These things could lead to supply chain attack on your customers. (ie they download a modified tarball, that has a backdoor).

  1. https://www.ssllabs.com/ssltest/analyze.html?d=tengine.taobao.org&s=203.119.245.121 this one is more for your parent company, but they really should use more certs, and not have so many alternative names under the same certificate, especially from completely unrelated domains and business ventures. See for example:
openssl s_client -connect apple.com:443 | openssl x509 -noout -text | grep DNS:
openssl s_client -connect microsoft.com:443 | openssl x509 -noout -text | grep DNS:
openssl s_client -connect google.com:443 | openssl x509 -noout -text | grep DNS:
openssl s_client -connect mozilla.com:443 | openssl x509 -noout -text | grep DNS:
openssl s_client -connect amazon.com:443 | openssl x509 -noout -text | grep DNS:
7bsow1i6

7bsow1i61#

https://www.hardenize.com/report/tengine.taobao.org/1597299887#www_hsts

  1. Also consider fixing these issues:
  • No HSTS on apex hostname
    Even though the main host uses HSTS, the protection is not as good as it could be because the apex hostname doesn't have HSTS deployed. Without robust HSTS, attackers can sometimes abuse cookies and make up plaintext subdomains to use for phishing.
    Location: https://taobao.org
  • Policy is disabled
    This site is aware of HSTS but uses a policy that has been disabled by setting the duration to zero.
  • No parent protection
    This host could benefit from further protection if the apex hostname would be configured with a HSTS policy that uses 'includeSubDomains'. Enabling HSTS on an entire domain name is the only approach that provides robust security.

相关问题