Closed TomTeeJay closed 4 years ago
@TomTeeJay I get DNS_PROBE_FINISHED_NXDOMAIN errors for https://observatory.mozilla.com/
@TomTeeJay I get DNS_PROBE_FINISHED_NXDOMAIN errors for https://observatory.mozilla.com/
Sorry my fault, it's https://observatory.mozilla.org not. com, changed the link in the issue.
There is also the issue that the following resource cannot be found on https://www.coronawarn.app/de/. I guess it's a typo ;-)
https://www.coronawarn.app/assets/img/running-app@2x_.png
<img class="image-overflow image-overflow_left" src="/assets/img/running-app@2x_.png" title="..." alt="...">
sigh they have well designed 404 pages, but as usual, 405 pages are forgotten...
@TomTeeJay See corona-warn-app/cwa-server/SECURITY.md for security contacts. Perhaps this information should be included in the FAQ for everyone.
So what would you suggest to do? Reporting this to your Incident Response Team? The Security Readme you've mentioned refers to CWA Server.
As I said in my disclaimer, there is no information or procedure defined regarding issues with the website. So there are basically two options:
1) you forward this to a website dev 2) a responsible website dev joins our very comfortable coffee party here :-)
@TomTeeJay There should not be much of a problem with reporting hygiene issues here, the more so as development is still underway. But it would indeed be good to:
Well, it's perfectly fine to report it here. Thank you very much! Once we have an update, we'll let you know.
Thank you both Sven and Sebastian. I basically agree but I would never consider TLS 1.0 as an "hygiene issue" in context of contact tracing and health apps.
Small update:
Well SSL Labs shows this:
for all your servers in your Telekom Cloud
I've crossed checked it with nmap for 87.148.208.250 as well for 87.140.209.25, 87.140.209.26, 87.140.209.27 getting this:
# nmap --script ssl-enum-ciphers -p 443 87.140.208.250
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-22 15:58 CEST
Nmap scan report for 87.140.208.250
Host is up (0.0083s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
# nmap --script ssl-enum-ciphers -p 443 87.140.209.25
Starting Nmap 7.60 ( https://nmap.org ) at 2020-05-22 15:46 CEST
Nmap scan report for 87.140.209.25
Host is up (0.0090s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
...the website is not my concern, the JSON webservices on cwa-, portal- and verification servers are
Well, you posted the issue for the website - the other services are not online yet... So let's talk about the website only for now.
Concerning the ssllabs.com results - we have different endpoints for www.coronawarn.app and coronawarn.app - that's why I didn't see the TLS 1.0 configuration as I only checked coronawarn.app... I asked the team to check and solve both. Thanks for your patience!
of course. looking forward, have a nice weekend!
The following resource can´t be found https://www.coronawarn.app/assets/css/ajax-loader.gif
Os: macOS 10.15.4 Browser: Chrome 83.0.4103.61
@Julian-B90 I'll create a new issue from your last comment
Sorry that it took a while, but finally all mentioned issues should be fixed. See also the results on:
Mit freundlichen Grüßen/Best regards, SW Corona Warn-App Open Source Team
Disclaimer: I am not sure if the website issues for https://www.coronawarn.app should be post here. So please feel free to forward this to whom is responsible for)
Though the website claims to be privacy-friendly, there are still these issues:
Please use common test suites to check website for security and privacy: