Security issues on the official german odroid mirror server

Moderators: mdrjr, odroid

Security issues on the official german odroid mirror server

Unread postby ujsrwidc » Sat Nov 03, 2018 9:09 pm

This server cant create a https connection for secure downloading. This is essential in 2018:
https://de.eu.odroid.in/ubuntu_18.04lts

All other 3 mirrors listed here have the ability to create a secure connection: https://wiki.odroid.com/odroid-c1/os_images/ubuntu/v3.0

So this is for shure a security error. https seems to be forgotten on the german mirror. Please enable https.
ujsrwidc
 
Posts: 37
Joined: Sat Nov 03, 2018 9:00 pm
languages_spoken: english

Re: Security issues on the official german odroid mirror ser

Unread postby mdrjr » Sun Nov 04, 2018 1:20 pm

Our Germany server now has SSL enabled by default.

HTTP requests will be redirect to HTTPS.
mdrjr
Site Admin
 
Posts: 11691
Joined: Fri Feb 22, 2013 11:34 pm
Location: Brazil
languages_spoken: english, portuguese
ODROIDs: -

Re: Security issues on the official german odroid mirror ser

Unread postby ujsrwidc » Sun Nov 04, 2018 8:33 pm

Great! Could you please also fix the certificate mismatch here? https://www.ssllabs.com/ssltest/analyze ... odroid.com

If i get it right in the few seconds i took to look at seem to use the certificate from the dn.odroid.com subdomain for odroid.com . This causes of course a certificate mismatch when using wrong certificate on an other domain. You can either use for each domain a letsencrypt certificate or take a wildcard certificate for all odroid.com domains(including subdomains).

Please dont forget to enable HSTS-Preload: https://hstspreload.org/?domain=odroid.com
ujsrwidc
 
Posts: 37
Joined: Sat Nov 03, 2018 9:00 pm
languages_spoken: english

Re: Security issues on the official german odroid mirror ser

Unread postby neal » Mon Nov 05, 2018 2:25 pm

This is not sure that we have to get SSL certificate.
odroid.com domain doesn't have SSL certificate because it just using meta tag to redirect to forum.odroid.com in here.
I think that that's why the site shows us "the certificate mismatch".
neal
 
Posts: 152
Joined: Fri Apr 14, 2017 10:02 am
languages_spoken: english

Re: Security issues on the official german odroid mirror ser

Unread postby ujsrwidc » Tue Nov 06, 2018 3:22 am

When you run odroid.com without encryption and without HSTS, then everyone in any public wifi can redicrect all your customers to what ever website they like. So yes, HSTS-Preload and TLS have to be enabled to protect the users.
ujsrwidc
 
Posts: 37
Joined: Sat Nov 03, 2018 9:00 pm
languages_spoken: english

Re: Security issues on the official german odroid mirror ser

Unread postby neal » Tue Nov 06, 2018 11:30 am

Hi @ujsrwidc,
Thank you for your advice.
Now, Fixed the certificate mismatch at odroid.com.
neal
 
Posts: 152
Joined: Fri Apr 14, 2017 10:02 am
languages_spoken: english

Re: Security issues on the official german odroid mirror ser

Unread postby ujsrwidc » Wed Nov 07, 2018 3:45 am

Great! Nice to see things changing to the better.

Could you add the HSTS-preload header?
https://hstspreload.org/?domain=odroid.com

You dont have to care about old software that maybe automatically downloads the file. It wont be affected with the HSTS-Header because this header is simply not supported. HSTS-preload is a great thing to make sure your customers webbrowser uses a secure connection.

When the HSTS-Preload is enabled, you can take a look into this:
https://observatory.mozilla.org/analyze ... odroid.com

Your webserver supports the outdated TLS 1.0 and TLS 1.1. This is not needed any more this days. TLS 1.2 and TLS 1.3 are the versions to have enabled. You can see this on your Webserver statistics. Probably no one would have used TLS 1.0 or 1.1 for connecting to the webserver but it can be used for attacking the users with a downgrade attack. TLS 1.0 is non-compliant with PCI DSS 3.2.1. https://www.htbridge.com/ssl/?id=ArbYPJWq

Privacy from your users can be checked here: https://webbkoll.dataskydd.net/en/resul ... odroid.com

And please remove this 5-year lasting cookie from https://www.naver.com/ This thing sound to me just like tracking spam build in into your website for a strange reason.

Your mail server, aspmx.daum.net , is on a blacklist for spam: https://mxtoolbox.com/domain/odroid.com/

At the end you can enable DNS-CAA (instead of HPKP that is not enabled now and dont need to be used any more thanks to DNS-CAA). At the end of all that you have as secured customers as possible. Extreme-nerds that care about that would love your website more and the person managing the website would have learned much about website configuration for the future. So its a win on all sites.
ujsrwidc
 
Posts: 37
Joined: Sat Nov 03, 2018 9:00 pm
languages_spoken: english


Return to Issues

Who is online

Users browsing this forum: No registered users and 2 guests