Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve security of *.piwik.org services #9803

Closed
mattab opened this issue Feb 18, 2016 · 3 comments
Closed

Improve security of *.piwik.org services #9803

mattab opened this issue Feb 18, 2016 · 3 comments
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Website matomo.org For issues related to our matomo.org website.

Comments

@mattab
Copy link
Member

mattab commented Feb 18, 2016

https://securityheaders.io/?q=https%3A%2F%2Fdemo.piwik.org%2F

demo security

  • Strict-Transport-Security HTTP Strict Transport Security is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS. Recommended value "strict-transport-security: max-age=31536000; includeSubdomains".
  • Content-Security-Policy Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.
  • Public-Key-Pins HTTP Public Key Pinning protects your site from MiTM attacks using rogue X.509 certificates. By whitelisting only the identities that the browser should trust, your users are protected in the event a certificate authority is compromised.
  • X-Frame-Options X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "x-frame-options: SAMEORIGIN".
  • X-XSS-Protection X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers. Recommended value "X-XSS-Protection: 1; mode=block".
  • X-Content-Type-Options X-Content-Type-Options stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. This helps to reduce the danger of drive-by downloads. Recommended value "X-Content-Type-Options: nosniff".
@hpvd
Copy link

hpvd commented Feb 18, 2016

regarding using "Public-Key-Pinning" one should be really careful and should at least pin more than one certificate.
If one make any failure in administration on could "loose" the domain.

For details see e.g. (sorry only german)
http://www.heise.de/forum/heise-Security/News-Kommentare/l-f-Web-Dienst-prueft-Praesenz-sicherheitsrelevanter-HTTP-Header/Certificate-Pinning/posting-24489362/show/

or https://community.letsencrypt.org/t/hpkp-best-practices-if-you-choose-to-implement/4625

@hpvd
Copy link

hpvd commented Feb 18, 2016

another great test is this one:
https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org
2016-02-18_15h19_29

https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org&s=185.31.40.177
2016-02-18_15h18_07

https://www.ssllabs.com/ssltest/analyze.html?d=piwik.org&s=2a00%3ab6e0%3a1%3a200%3a177%3a0%3a0%3a1
2016-02-18_15h18_27

  • This server does not mitigate the CRIME attack. Grade capped to C.
  • Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings.
  • The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.
  • This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.
  • The server does not support Forward Secrecy with the reference browsers.

@mattab mattab added c: Website matomo.org For issues related to our matomo.org website. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. labels Mar 31, 2016
@mattab mattab added this to the Mid term milestone Mar 31, 2016
@mattab
Copy link
Member Author

mattab commented Feb 14, 2017

We now have high SSL rating and other items don't seem so relevant.

@mattab mattab closed this as completed Feb 14, 2017
@mattab mattab added the answered For when a question was asked and we referred to forum or answered it. label Feb 14, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
answered For when a question was asked and we referred to forum or answered it. c: Security For issues that make Matomo more secure. Please report issues through HackerOne and not in Github. c: Website matomo.org For issues related to our matomo.org website.
Projects
None yet
Development

No branches or pull requests

2 participants