How secure the web is, so far.

Learn about Computer Security Leak Testing/Attacks/Vulnerability Research
1

STOP READING NOW and ignore this post if you don’t care about privacy, or think https is stupid.

The New Year is on the horizon, which makes it the perfect time to test how secure the web is so far.
And by secure I mean, how many websites are truly using https connection to serve all their contents.

Short Version:
Force your browser to use port 443 only and test it out.

Long version:

Step 1: Go to…

-Advanced settings > Security > Firewall > application rules > “your web browser” > EDIT
*your web browser rules are usually grayed out and uses a predefined policy called “web browser”.

-Under Network Access Rules, select:
Use a custom policy > copy from > predefined security policies > web browser

-You will see 6 rules ordered like follow:
Allow Access to Loopback Zone
Allow Outgoing HTTP Requests
Allow Outgoing FTP Requests
Allow Outgoing FTP-PASV Requests
Allow Outgoing DNS Requests
Block and Log All Unmatching Requests

Step 2: Editing the rules:

-delete both FTP rules.
-edit “Allow Outgoing HTTP Requests” by only editing the destination port to a single port 443,
-rename the rule to “Allow Outgoing HTTPS Requests”

Step 3: Click Ok and save then restart the browser…

-final rules look like this:
Allow Access to Loopback Zone
Allow Outgoing HTTPS Requests
Allow Outgoing DNS Requests
Block and Log All Unmatching Requests

Step 4: Test and have fun…

-first: all http sites will not work, unless you use their https version.
-test the sites that advertise https connection as default, 2 ways to know:

  • Either, site will function correctly over https.
  • Or, site will have limited function over https, and this kind of sites is a bad site that uses content from both http and https.
    -you will notice a slower load time for all https sites, don’t know why!
    -Google Passed the test, including YouTube.
    *note that YouTube failed the test last year during video playback, as videos were served using http connection.

Step 5: Revert to the old state of the browser.

-advanced settings > Security > Firewall > application rules > “your web browser” > EDIT
-under Network Access Rules, select:
Use a predefined security policies > web browser
-Then restart the browser.

*** Problems?? Restart PC ***

2

https is not stupid, it is vulnerable: HTTPS-crippling “FREAK”, POODLE: SSLv3 vulnerability, BREACH vulnerability in compressed HTTPS

3

Everything is vulnerable. Implementations have bugs, and get patched. Old protocols are vulnerable, and get deprecated. No current browser supports SSL 2 by default (some not at all). After POODLE, both browsers and servers began dropping support for SSL 3. No current browser supports TLS-compression, and neither do most servers. Certain ciphers are vulnerable: RC4, AES-CBC. They are slowly being phased out. HTTP/2 accepts only TLS 1.2+ and ciphers that are not in the blacklist. That’s a long list. Summary: Only AEAD-based ciphers, such as AES-GCM and ChaCha20, are accepted, and ephemeral key exchange (= forward secrecy) is required. Server Name Indication is also required.

4

Nicely put. IT Sec is all about knowledge (of vulnerabilities and security principles such as ‘defence in-depth’ and skills to address these vulnerabilities) … with added patience and enthusiasm.