Actions

Website Tests / Server Tests

From Whonix



Websitetest.jpg

Introduction[edit]

Security is not a checklist. Security is not about making websites show a lot green and no red at all. The context is important. This is a bit similar to Browser Tests. There are many false positives.

SSL certificate, HSTS, CAA Policy, Expect-CT header, DNSSEC, Content Security Policy (CSP), Feature-Policy, MTA-STS, TLS-RPT, DANE, SPF, DKIM, DMARC, Frame Options, XSS Protection, Content Type Options are all nice sounding and nice to have website or server security features.

While website test websites such as hardenize.com are amazing tools for website owners helping to check security features, these tests say little about the security of the server. Such tests cannot check if kernel, operating system and web app upgrades are up to date or neglect, if SSH is configured for public key authentication only, if the server is Kicksecure hardened, backups are being made and so forth.

For example at time of writing the Microsoft website did not have a CSP, neither DNSSEC, nor DANE and a C level securityheaders.com rating. Does this mean that the Microsoft website gets hacked every year and spreads malicious software uploaded by unauthorized third parties? No. [1]

As elaborated in the most comprehensive chapter CSP on this wiki page, the threat models are nuanced, imperfections exist, efforts are bound to available resourced, developer time and limited to reasonable efforts, not security theater. It it also important to put test results into perspective through Comparison of Test Results with Others.

See also Privacy Policy Technical Details, Privacy on the Whonix ™ Website, Trusting the Whonix ™ Website and Distrusting Infrastructure.

hardenize.com[edit]

https://www.hardenize.com/report/whonix.org/1607868311 [archive]

https://forums.whonix.org/t/no-clean-hsts-preload-dnssec/10255 [archive]

https://forums.whonix.org/t/expect-ct-security-header-for-whonix-org/10286 [archive]

See also Email DANE.

SSL Labs[edit]

https://www.ssllabs.com/ssltest/analyze.html?d=whonix.org [archive]

hstspreload.org[edit]

https://hstspreload.org/?domain=whonix.org [archive]

Email DANE[edit]

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone. Feature not implemented or disabled

Your server doesn't support this feature.

The whonix.org website doesn't offer free or paid e-mail accounts. The extend in which whonix.org uses e-mail:

  • Sends e-mails to wiki editors who signed up to be notified about changes.
  • Forum e-mail sign-up and notifications.
  • Mailing Lists
  • Developer accounts.

Even if e-mail security was "perfected", even if the DANE test would pass on website tests, it should not be relied on DANE. Better use end-to-end encryption such as OpenPGP or even better such as codecrypt.

Website DANE[edit]

See DANE TLSA References. Quote DANE TLSA (DNS-based Authentication of Named Entities) for whonix.org [archive]:

For now decided not to implement it due to:

  • low adaption
  • no support in major browsers
  • complex, maintenance demanding setup

Content-Security-Policy CSP[edit]

Threat Model[edit]

So what is a CSP? CSP stands for Content Security Policy. "Something about server security." More detailed below. It follows a Quote from OWASP [archive] which sounds accurate but too abstract to make head or tail of it.

Is a W3C specification offering the possibility to instruct the client browser from which location and/or which type of resources are allowed to be loaded. To define a loading behavior, the CSP specification use “directive” where a directive defines a loading behavior for a target resource type. Directives can be specified using HTTP response header (a server may send more than one CSP HTTP header field with a given resource representation and a server may send different CSP header field values with different representations of the same resource or with different resources) or HTML Meta tag, the HTTP headers below are defined by the specs:

One use of a CSP is for a web server software (such as nginx) to tell the visitor's browser (such as Mozilla Firefox) what resources (speak HTML, JavaScript, images) to load from which authorized sources. This is an interesting, nuanced threat model. How can the CSP, something running on the web server software, provide additional security for the very web server software it is running on? At first sight, this seems impossible. However, there is a point. Webapps nowadays are very complex, speak prone to software bugs and security vulnerabilities. It might be the case that a webapps is functioning unexpected due to a bug or even compromised because an attacker exploited a vulnerability in the webapp. However, a compromised webapp doesn't necessarily equal web server software (such as nginx) compromise, let alone whole server (root) compromise. The webapp might be functioning unexpected or be compromised, but the web server software might still be functioning according to specifications. Under such conditions, the CSP can limit what the webapp (or rather the results of the output of the webapp processed by the visitor's browser) can do. For example the CSP as enforced by the web server software can prohibit[2] the browser from loading content from third party websites. In some cases, some webapp vulnerabilities might be made less useful or even be rendered useless. A CSP aims to contain faulty or compromised webapps.

You see how nuanced the threat model is. A faulty or compromised webapp being contained. Wouldn't it be better to avoid faulty or web app compromise to being with? Of course.

A good use case of a CSP is for webmail, i.e. reading e-mail in the browser. For better security and privacy, no contents should be load from third party websites, i.e. contents from websites other than the e-mail provider. However, even better to avoid webmail entirely as recommended, using an e-mail client and disabling HTML and scripts (text-only mails). Again, rely on the server to implement CSP or use local e-mail clients with plaintext only. The latter is much better.

Forum discussion: Content-Security-Policy now deployed on Whonix websites [archive]

Whonix[edit]

whonix.org has an essential CSP. It is useful for whonix.org onion domain to avoid loading resources from whonix.org clearnet domain to avoid browser mixed content warnings. It is helpful to avoid clearnet connections for visitors who prefer using the onion version of Whonix ™ website because modern webapps are not designed for being used on multiple domain names with the same database backend and/or use for with onion domains generally.

whonix.org however doesn't have yet a CSP without 'unsafe-inline', 'unsafe-eval' eval for all webapps yet.

  • This policy contains 'unsafe-inline' which is dangerous in the script-src directive.
  • This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
  • This policy contains 'unsafe-inline' which is dangerous in the style-src directive.

Users who have NoScript in their browser enabled are unaffected.

Users are advised to use secure browsers, compartmentalize browsing in different virtual machines (VMs), harden their operating system Kicksecure, use NoScript, rather than relying on websites to deploy CSP. Widespread, perfect deployment of CSP will never probably not happen anytime soon. Kicksecure and Whonix are real efforts for security and privacy. Resources are, developer time is limited. Efforts spent on CSP are limited to reasonable efforts, not security theater.

Homepage[edit]

Quote securityheaders.com [archive] for Whonix ™ website component, homepage.

Forums[edit]

Quote securityheaders.com for Whonix ™ website component, discourse forums [archive].

CSP is implemented by the developers of the webapp, discourse. (Feature request for Discourse Forums Permissions-Policy [archive].)

(Quote securityheaders.com for upstream meta.discourse.org [archive])

Phabricator[edit]

phabricator [archive]

(Quote securityheaders.com for upstream phabricator [archive])

Wiki[edit]

[3]

Whonix ™ website component, wiki [archive]

(securityheaders.com for upstream mediawiki.org [archive] / securityheaders.com for wikipedia.org [archive])

Quote Mozilla Developer Network, Multiple content security policies [archive]

Adding additional policies can only further restrict the capabilities of the protected resource

gzip[edit]

Not security relevant. Performance only.

https://onionheaders.website [archive] shows gzip is disabled but checking with curl shows it is actually enabled. As per curl gzip test instructions [archive].

torsocks curl -H "Accept-Encoding: gzip" --head http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation

Output includes.

Content-Encoding: gzip

Comparison with Others[edit]

Before demanding what whonix.org website ought to implement, and might not do yet due to lack of resources, please compare with much better funded organizations for a fair comparison.

See Also[edit]

Footnotes[edit]

  1. The CSP is actually a recommendation for the browser. However, writing the following would be confusing.

    For example the CSP as enforced by the web server software can recommend the browser to not load content from external websites and the browser would honor this advice.

  2. Under consideration: $wgCSPHeader [archive] is enabled.

    It is not compatible with $wgUseFileCache

    Wiki users which are not logged in have 1 CSP, the essential CSP (by nginx). (Except for visitors of pages which are not yet cached.)

    Wiki users which are logged in have 2 CSPs, the essential CSP and on top of it the CSP generated by the mediawiki webapp setting $wgCSPHeader.



text=Jobs in USA
Jobs in USA


Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki


Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: 1024px-Telegram 2019 Logo.svg.png Discourse logo.png Matrix logo.svg.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Website Tests&body=https://www.whonix.org/wiki/Website_Tests link=https://reddit.com/submit?url=https://www.whonix.org/wiki/Website_Tests&title=Website Tests link=https://news.ycombinator.com/submitlink?u=https://www.whonix.org/wiki/Website_Tests&t=Website Tests link=https://mastodon.technology/share?message=Website Tests%20https://www.whonix.org/wiki/Website_Tests&t=Website Tests

Want to get involved with Whonix ™? Check out our Contribute page.

https link onion link

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation. Policy of Whonix Website and Whonix Chat and Policy On Nonfreedom Software applies.

Copyright (C) 2012 - 2021 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint, Contact.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.