search

corona-warn-app / cwa-website

Corona-Warn-App website. The CWA development ended on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
523 stars 225 forks source link

Website lacks many Security- and Privacy Features #6

Closed TomTeeJay closed 4 years ago

TomTeeJay commented 4 years ago

Disclaimer: I am not sure if the website issues for https://www.coronawarn.app should be post here. So please feel free to forward this to whom is responsible for)

Though the website claims to be privacy-friendly, there are still these issues:

Please use common test suites to check website for security and privacy:

akuckartz commented 4 years ago

@TomTeeJay I get DNS_PROBE_FINISHED_NXDOMAIN errors for https://observatory.mozilla.com/

TomTeeJay commented 4 years ago

@TomTeeJay I get DNS_PROBE_FINISHED_NXDOMAIN errors for https://observatory.mozilla.com/

Sorry my fault, it's https://observatory.mozilla.org not. com, changed the link in the issue.

matthiasnagel commented 4 years ago

There is also the issue that the following resource cannot be found on https://www.coronawarn.app/de/. I guess it's a typo ;-)

https://www.coronawarn.app/assets/img/running-app@2x_.png

<img class="image-overflow image-overflow_left" src="/assets/img/running-app@2x_.png" title="..." alt="...">

TomTeeJay commented 4 years ago

sigh they have well designed 404 pages, but as usual, 405 pages are forgotten...

sventuerpe commented 4 years ago

@TomTeeJay See corona-warn-app/cwa-server/SECURITY.md for security contacts. Perhaps this information should be included in the FAQ for everyone.

TomTeeJay commented 4 years ago

So what would you suggest to do? Reporting this to your Incident Response Team? The Security Readme you've mentioned refers to CWA Server.

As I said in my disclaimer, there is no information or procedure defined regarding issues with the website. So there are basically two options:

1) you forward this to a website dev 2) a responsible website dev joins our very comfortable coffee party here :-)

sventuerpe commented 4 years ago

@TomTeeJay There should not be much of a problem with reporting hygiene issues here, the more so as development is still underway. But it would indeed be good to:

SebastianWolf-SAP commented 4 years ago

Well, it's perfectly fine to report it here. Thank you very much! Once we have an update, we'll let you know.

TomTeeJay commented 4 years ago

Thank you both Sven and Sebastian. I basically agree but I would never consider TLS 1.0 as an "hygiene issue" in context of contact tracing and health apps.

SebastianWolf-SAP commented 4 years ago

Small update:

TomTeeJay commented 4 years ago

Well SSL Labs shows this:

Screenshot

for all your servers in your Telekom Cloud

Screenshot 2

I've crossed checked it with nmap for 87.148.208.250 as well for 87.140.209.25, 87.140.209.26, 87.140.209.27 getting this:

# nmap --script ssl-enum-ciphers -p 443 87.140.208.250

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-22 15:58 CEST
Nmap scan report for 87.140.208.250
Host is up (0.0083s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A
# nmap --script ssl-enum-ciphers -p 443 87.140.209.25

Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-22 15:46 CEST
Nmap scan report for 87.140.209.25
Host is up (0.0090s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.1: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
|     compressors: 
|       NULL
|     cipher preference: server
|_  least strength: A
TomTeeJay commented 4 years ago

...the website is not my concern, the JSON webservices on cwa-, portal- and verification servers are

SebastianWolf-SAP commented 4 years ago

Well, you posted the issue for the website - the other services are not online yet... So let's talk about the website only for now.

Concerning the ssllabs.com results - we have different endpoints for www.coronawarn.app and coronawarn.app - that's why I didn't see the TLS 1.0 configuration as I only checked coronawarn.app... I asked the team to check and solve both. Thanks for your patience!

TomTeeJay commented 4 years ago

of course. looking forward, have a nice weekend!

Julian-B90 commented 4 years ago

The following resource can´t be found https://www.coronawarn.app/assets/css/ajax-loader.gif

Os: macOS 10.15.4 Browser: Chrome 83.0.4103.61

Bildschirmfoto 2020-06-02 um 22 07 39
tkowark commented 4 years ago

@Julian-B90 I'll create a new issue from your last comment

SebastianWolf-SAP commented 4 years ago

Sorry that it took a while, but finally all mentioned issues should be fixed. See also the results on:

Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team