Browse Source

Extract help in partials

new-scoring
aeris 1 year ago
parent
commit
72c420effa
2 changed files with 259 additions and 251 deletions
  1. 258
    0
      app/views/site/_scoring.html.erb
  2. 1
    251
      app/views/site/help.html.erb

+ 258
- 0
app/views/site/_scoring.html.erb View File

@@ -0,0 +1,258 @@
1
+<h1>Scoring</h1>
2
+
3
+<p>
4
+	Currently, CryptCheck gives note from <%= rank_label :G %> for the
5
+	worst sites to <%= rank_label :'A+' %> for the best ones.
6
+</p>
7
+
8
+<p>
9
+	Scoring is based on the fact that TLS handshake is <b>not</b> authenticated,
10
+	and so an attacker can force to use whatever cipher he wants as soon as both
11
+	client and server support it, with a downgrade attack as simple as modify
12
+	TCP packets on the fly.
13
+</p>
14
+
15
+<p>
16
+	Such downgrade attack doesn't require heavy resources and can be made with
17
+	standard computer or phone.<br/>
18
+	The only difficult part is to be in position to modify the traffic between
19
+	the client and the server.
20
+	This is the case if the attacker is connected on the same network as the
21
+	client (hotspot, 3G…) with simple
22
+	<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
23
+	doable with tools like
24
+	<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
25
+</p>
26
+
27
+<p>
28
+	As client support can't be guessed, CryptCheck considers the <b>weakest</b>
29
+	suite supported server side.
30
+	This way, a connection to the scored service can't lead to a negociated
31
+	handshake with a worse score than the one given to the service, whatever
32
+	your client supports and whatever an attacker is present or not.
33
+</p>
34
+
35
+<table class="scoring table table-bordered table-condensed center table-striped">
36
+	<thead>
37
+	<tr>
38
+		<th rowspan="2">Score</th>
39
+		<td rowspan="2"></td>
40
+		<td colspan="3">Protection</td>
41
+		<td colspan="3">Weakness</td>
42
+	</tr>
43
+	<tr>
44
+		<td>Best</td>
45
+		<td>Great</td>
46
+		<td>Good</td>
47
+
48
+		<td>Future</td>
49
+		<td>Weak</td>
50
+		<td>Deprecated</td>
51
+	</tr>
52
+	</thead>
53
+	<tbody>
54
+	<tr>
55
+		<th><%= rank_label :'A+' %></th>
56
+		<td class="left">
57
+			Seriously take security into account and invest a lot on it.<br/>
58
+			Whatever the cost, encryption safety is implemented.
59
+			You can be proud!
60
+		</td>
61
+		<td><%= image_tag 'check-full.svg' %></td>
62
+		<td><%= image_tag 'check-full.svg' %></td>
63
+		<td><%= image_tag 'check-full.svg' %></td>
64
+		<td><%= image_tag 'check-empty.svg' %></td>
65
+		<td><%= image_tag 'check-empty.svg' %></td>
66
+		<td><%= image_tag 'check-empty.svg' %></td>
67
+	</tr>
68
+	<tr>
69
+		<th><%= rank_label :A %></th>
70
+		<td class="left">
71
+			Seriously take security into account and invest a lot on it.
72
+		</td>
73
+		<td><%= image_tag 'check-empty.svg' %></td>
74
+		<td><%= image_tag 'check-full.svg' %></td>
75
+		<td><%= image_tag 'check-full.svg' %></td>
76
+		<td><%= image_tag 'check-empty.svg' %></td>
77
+		<td><%= image_tag 'check-empty.svg' %></td>
78
+		<td><%= image_tag 'check-empty.svg' %></td>
79
+	</tr>
80
+	<tr>
81
+		<th><%= rank_label :'B+' %></th>
82
+		<td class="left">
83
+			Seriously take security into account and invest on it.
84
+		</td>
85
+		<td></td>
86
+		<td><%= image_tag 'check-full.svg' %></td>
87
+		<td><%= image_tag 'check-full.svg' %></td>
88
+		<td><%= image_tag 'check-empty.svg' %></td>
89
+		<td><%= image_tag 'check-empty.svg' %></td>
90
+		<td><%= image_tag 'check-empty.svg' %></td>
91
+	</tr>
92
+	<tr>
93
+		<th><%= rank_label :B %></th>
94
+		<td class="left">
95
+			Take security into account and invest on it.
96
+		</td>
97
+		<td></td>
98
+		<td><%= image_tag 'check-empty.svg' %></td>
99
+		<td><%= image_tag 'check-full.svg' %></td>
100
+		<td><%= image_tag 'check-empty.svg' %></td>
101
+		<td><%= image_tag 'check-empty.svg' %></td>
102
+		<td><%= image_tag 'check-empty.svg' %></td>
103
+	</tr>
104
+	<tr>
105
+		<th><%= rank_label :'C+' %></th>
106
+		<td class="left">
107
+			Take security into account and invest a little on it.
108
+		</td>
109
+		<td></td>
110
+		<td></td>
111
+		<td><%= image_tag 'check-full.svg' %></td>
112
+		<td><%= image_tag 'check-empty.svg' %></td>
113
+		<td><%= image_tag 'check-empty.svg' %></td>
114
+		<td><%= image_tag 'check-empty.svg' %></td>
115
+	</tr>
116
+	<tr>
117
+		<th><%= rank_label :C %></th>
118
+		<td class="left">
119
+			Take security into account but don't spend too much for it.
120
+		</td>
121
+		<td></td>
122
+		<td></td>
123
+		<td><%= image_tag 'check-empty.svg' %></td>
124
+		<td><%= image_tag 'check-empty.svg' %></td>
125
+		<td><%= image_tag 'check-empty.svg' %></td>
126
+		<td><%= image_tag 'check-empty.svg' %></td>
127
+	</tr>
128
+	<tr>
129
+		<th><%= rank_label :D %></th>
130
+		<td class="left">
131
+			Take security into account. Minimaly.<br/>
132
+			This is the worst score a decent service must have today.
133
+		</td>
134
+		<td></td>
135
+		<td></td>
136
+		<td></td>
137
+		<td><%= image_tag 'check-empty.svg' %></td>
138
+		<td><%= image_tag 'check-empty.svg' %></td>
139
+		<td><%= image_tag 'check-empty.svg' %></td>
140
+	</tr>
141
+	<tr>
142
+		<th><%= rank_label :E %></th>
143
+		<td class="left">
144
+			Take security into account. A little. Or not.
145
+		</td>
146
+		<td></td>
147
+		<td></td>
148
+		<td></td>
149
+		<td><%= image_tag 'cross-red.svg' %></td>
150
+		<td><%= image_tag 'check-empty.svg' %></td>
151
+		<td><%= image_tag 'check-empty.svg' %></td>
152
+	</tr>
153
+	<tr>
154
+		<th><%= rank_label :F %></th>
155
+		<td class="left">
156
+			Just don't take security into account.
157
+		</td>
158
+		<td></td>
159
+		<td></td>
160
+		<td></td>
161
+		<td></td>
162
+		<td><%= image_tag 'cross-red.svg' %></td>
163
+		<td><%= image_tag 'check-empty.svg' %></td>
164
+	</tr>
165
+	<tr>
166
+		<th><%= rank_label :G %></th>
167
+		<td class="left">
168
+			Just don't take security into account at all.<br/>
169
+			What the fuck you do, dude?
170
+		</td>
171
+		<td></td>
172
+		<td></td>
173
+		<td></td>
174
+		<td></td>
175
+		<td></td>
176
+		<td><%= image_tag 'cross-red.svg' %></td>
177
+	</tr>
178
+	<tr>
179
+		<th><%= rank_label :'0' %></th>
180
+		<td class="left">
181
+			No security at all. Just plain text.<br/>
182
+			Seriously, in <%= Date.today.year %>?
183
+		</td>
184
+		<td colspan="6"></td>
185
+	</tr>
186
+	<tr>
187
+		<th><%= rank_label :V %></th>
188
+		<td class="left">
189
+			Invalid certificate (wrong domain, expired…)
190
+		</td>
191
+		<td colspan="6"></td>
192
+	</tr>
193
+	<tr>
194
+		<th><%= rank_label :T %></th>
195
+		<td class="left">
196
+			Unstrusted certificate. Not issued by a trusted
197
+			<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
198
+		</td>
199
+		<td colspan="6"></td>
200
+	</tr>
201
+	<tr>
202
+		<th><%= rank_label :X %></th>
203
+		<td class="left">
204
+			Error occurs during the analysis. Try again later?
205
+		</td>
206
+		<td colspan="6"></td>
207
+	</tr>
208
+	</tbody>
209
+</table>
210
+<table class="scoring table table-bordered table-condensed">
211
+	<tr>
212
+		<td>
213
+			For protection:<br/>
214
+			<%= image_tag 'check-full.svg' %> Fully implemented
215
+			<%= image_tag 'check-empty.svg' %> Partially implemented<br/>
216
+
217
+			Good: simple to implement, small protection<br/>
218
+			Great: quiet hard to implement, middle protection<br/>
219
+			Best: hard to implement, strong protection
220
+		</td>
221
+		<td>
222
+			For weakness:<br/>
223
+			<%= image_tag 'check-empty.svg' %> Not vulnerable
224
+			<%= image_tag 'cross-red.svg' %> Vulnerable<br/>
225
+
226
+			Future: known weakness, but no practical attack known<br/>
227
+			Weak: known weakness, pratical attack exist<br/>
228
+			Deprecated: known weakness, merely equivalent or equal to plain text
229
+		</td>
230
+	</tr>
231
+</table>
232
+
233
+<p>
234
+	<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
235
+	<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
236
+	When you send an email, the server used to forward the mail (the
237
+	<a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>) to
238
+	the recipient has no way to guess in advance if recipient MTA supports or
239
+	not encryption and which cipher suite will be available.
240
+	To avoid your email returning to you in case of failure, the standard for
241
+	email encryption (<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
242
+	requires to retry <b>in plain text</b> in case of encryption handshake
243
+	failure.<br/>
244
+	So, for SMTP, there is a compromise to make between strong configuration,
245
+	leading to plain text fallback for old or badly configured MTA, and
246
+	compatibility with such MTA to use weak encryption better than plain text
247
+	but allowing downgrade attack on stronger MTA.<br/>
248
+	Given email is a real nightmare for security, with multiple way to force a
249
+	connection to fallback to plain text
250
+	(<a href="https://www.eff.org/fr/deeplinks/2014/11/starttls-downgrade-attacks">STARTTLS stripping</a>,
251
+	<a href="https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes">MX lying</a>…),
252
+	CryptCheck scores SMTP as HTTPS or XMPP and doesn't care about compatibility
253
+	trouble. This way, weak people are still weak, but strong people can (not
254
+	too much) hope strong encryption under normal condition.<br/>
255
+	Be advice than strong score here for SMTP means compatibility troubles.
256
+	Or fucked service which doesn't take care of your security.
257
+	I don't know, you turn to judge.
258
+</p>

+ 1
- 251
app/views/site/help.html.erb View File

@@ -1,257 +1,7 @@
1 1
 <div id="help" class="container">
2 2
 	<div class="row">
3 3
 		<div class="col-sm-12">
4
-			<h1>Scoring</h1>
5
-
6
-			<p>
7
-				Currently, CryptCheck gives note from <%= rank_label :G %> for the
8
-				worst sites to <%= rank_label :'A+' %> for the best ones.
9
-			</p>
10
-
11
-			<p>
12
-				Scoring is based on the fact that TLS handshake is <b>not</b>
13
-				authenticated, and so an attacker can force to use whatever
14
-				cipher he wants as soon as both client and server support it,
15
-				with a downgrade attack as simple as modify TCP packets on the
16
-				fly.
17
-			</p>
18
-
19
-			<p>
20
-				Such downgrade attack doesn't require heavy resources and can be
21
-				made with standard computer or phone.<br/>
22
-				The only difficult part is to be in position to modify the
23
-				traffic between the client and the server.
24
-				This is the case if the attacker is connected on the same network
25
-				as the client (hotspot, 3G…) with simple
26
-				<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
27
-				doable with tools like
28
-				<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
29
-			</p>
30
-
31
-			<p>
32
-				As client support can't be guessed, CryptCheck considers the
33
-				<b>weakest</b> suite supported server side.
34
-				This way, a connection to the scored service can't lead to a
35
-				negociated handshake with a worse score than the one given to
36
-				the service, whatever your client supports and whatever an
37
-				attacker is present or not.
38
-			</p>
39
-
40
-			<table class="scoring table table-bordered table-condensed center table-striped">
41
-				<thead>
42
-					<tr>
43
-						<th rowspan="2">Score</th>
44
-						<td rowspan="2"></td>
45
-						<td colspan="3">Protection</td>
46
-						<td colspan="3">Weakness</td>
47
-					</tr>
48
-					<tr>
49
-						<td>Best</td>
50
-						<td>Great</td>
51
-						<td>Good</td>
52
-
53
-						<td>Future</td>
54
-						<td>Weak</td>
55
-						<td>Deprecated</td>
56
-					</tr>
57
-				</thead>
58
-				<tbody>
59
-					<tr>
60
-						<th><%= rank_label :'A+' %></th>
61
-						<td class="left">
62
-							Seriously take security into account and invest a lot on it.<br/>
63
-							Whatever the cost, encryption safety is implemented.
64
-							You can be proud!
65
-						</td>
66
-						<td><%= image_tag 'check-full.svg' %></td>
67
-						<td><%= image_tag 'check-full.svg' %></td>
68
-						<td><%= image_tag 'check-full.svg' %></td>
69
-						<td><%= image_tag 'check-empty.svg' %></td>
70
-						<td><%= image_tag 'check-empty.svg' %></td>
71
-						<td><%= image_tag 'check-empty.svg' %></td>
72
-					</tr>
73
-					<tr>
74
-						<th><%= rank_label :A %></th>
75
-						<td class="left">
76
-							Seriously take security into account and invest a lot on it.
77
-						</td>
78
-						<td><%= image_tag 'check-empty.svg' %></td>
79
-						<td><%= image_tag 'check-full.svg' %></td>
80
-						<td><%= image_tag 'check-full.svg' %></td>
81
-						<td><%= image_tag 'check-empty.svg' %></td>
82
-						<td><%= image_tag 'check-empty.svg' %></td>
83
-						<td><%= image_tag 'check-empty.svg' %></td>
84
-					</tr>
85
-					<tr>
86
-						<th><%= rank_label :'B+' %></th>
87
-						<td class="left">
88
-							Seriously take security into account and invest on it.
89
-						</td>
90
-						<td></td>
91
-						<td><%= image_tag 'check-full.svg' %></td>
92
-						<td><%= image_tag 'check-full.svg' %></td>
93
-						<td><%= image_tag 'check-empty.svg' %></td>
94
-						<td><%= image_tag 'check-empty.svg' %></td>
95
-						<td><%= image_tag 'check-empty.svg' %></td>
96
-					</tr>
97
-					<tr>
98
-						<th><%= rank_label :B %></th>
99
-						<td class="left">
100
-							Take security into account and invest on it.
101
-						</td>
102
-						<td></td>
103
-						<td><%= image_tag 'check-empty.svg' %></td>
104
-						<td><%= image_tag 'check-full.svg' %></td>
105
-						<td><%= image_tag 'check-empty.svg' %></td>
106
-						<td><%= image_tag 'check-empty.svg' %></td>
107
-						<td><%= image_tag 'check-empty.svg' %></td>
108
-					</tr>
109
-					<tr>
110
-						<th><%= rank_label :'C+' %></th>
111
-						<td class="left">
112
-							Take security into account and invest a little on it.
113
-						</td>
114
-						<td></td>
115
-						<td></td>
116
-						<td><%= image_tag 'check-full.svg' %></td>
117
-						<td><%= image_tag 'check-empty.svg' %></td>
118
-						<td><%= image_tag 'check-empty.svg' %></td>
119
-						<td><%= image_tag 'check-empty.svg' %></td>
120
-					</tr>
121
-					<tr>
122
-						<th><%= rank_label :C %></th>
123
-						<td class="left">
124
-							Take security into account but don't spend too much for it.
125
-						</td>
126
-						<td></td>
127
-						<td></td>
128
-						<td><%= image_tag 'check-empty.svg' %></td>
129
-						<td><%= image_tag 'check-empty.svg' %></td>
130
-						<td><%= image_tag 'check-empty.svg' %></td>
131
-						<td><%= image_tag 'check-empty.svg' %></td>
132
-					</tr>
133
-					<tr>
134
-						<th><%= rank_label :D %></th>
135
-						<td class="left">
136
-							Take security into account. Minimaly.<br/>
137
-							This is the worst score a decent service must have today.
138
-						</td>
139
-						<td></td>
140
-						<td></td>
141
-						<td></td>
142
-						<td><%= image_tag 'check-empty.svg' %></td>
143
-						<td><%= image_tag 'check-empty.svg' %></td>
144
-						<td><%= image_tag 'check-empty.svg' %></td>
145
-					</tr>
146
-					<tr>
147
-						<th><%= rank_label :E %></th>
148
-						<td class="left">
149
-							Take security into account. A little. Or not.
150
-						</td>
151
-						<td></td>
152
-						<td></td>
153
-						<td></td>
154
-						<td><%= image_tag 'cross-red.svg' %></td>
155
-						<td><%= image_tag 'check-empty.svg' %></td>
156
-						<td><%= image_tag 'check-empty.svg' %></td>
157
-					</tr>
158
-					<tr>
159
-						<th><%= rank_label :F %></th>
160
-						<td class="left">
161
-							Just don't take security into account.
162
-						</td>
163
-						<td></td>
164
-						<td></td>
165
-						<td></td>
166
-						<td></td>
167
-						<td><%= image_tag 'cross-red.svg' %></td>
168
-						<td><%= image_tag 'check-empty.svg' %></td>
169
-					</tr>
170
-					<tr>
171
-						<th><%= rank_label :G %></th>
172
-						<td class="left">
173
-							Just don't take security into account at all.<br/>
174
-							What the fuck you do, dude?
175
-						</td>
176
-						<td></td>
177
-						<td></td>
178
-						<td></td>
179
-						<td></td>
180
-						<td></td>
181
-						<td><%= image_tag 'cross-red.svg' %></td>
182
-					</tr>
183
-					<tr>
184
-						<th><%= rank_label :V %></th>
185
-						<td class="left">
186
-							Invalid certificate (wrong domain, expired…)
187
-						</td>
188
-						<td colspan="6"></td>
189
-					</tr>
190
-					<tr>
191
-						<th><%= rank_label :T %></th>
192
-						<td class="left">
193
-							Unstrusted certificate. Not issued by a trusted
194
-							<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
195
-						</td>
196
-						<td colspan="6"></td>
197
-					</tr>
198
-				</tbody>
199
-			</table>
200
-			<table class="scoring table table-bordered table-condensed">
201
-				<tr>
202
-					<td>
203
-						For protection:<br/>
204
-						<%= image_tag 'check-full.svg' %> Fully implemented
205
-						<%= image_tag 'check-empty.svg' %> Partially implemented<br/>
206
-
207
-						Good: simple to implement, small protection<br/>
208
-						Great: quiet hard to implement, middle protection<br/>
209
-						Best: hard to implement, strong protection
210
-					</td>
211
-					<td>
212
-						For weakness:<br/>
213
-						<%= image_tag 'check-empty.svg' %> Not vulnerable
214
-						<%= image_tag 'cross-red.svg' %> Vulnerable<br/>
215
-
216
-						Future: known weakness, but no practical attack known<br/>
217
-						Weak: known weakness, pratical attack exist<br/>
218
-						Deprecated: known weakness, merely equivalent or equal to plain text
219
-					</td>
220
-				</tr>
221
-			</table>
222
-
223
-
224
-			<p>
225
-				<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
226
-				<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
227
-				When you send an email, the server used to forward the mail
228
-				(the <a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>)
229
-				to the recipient has no way to guess in advance if recipient MTA
230
-				supports or not encryption and which cipher suite will be
231
-				available.
232
-				To avoid your email returning to you in case of failure, the
233
-				standard for email encryption
234
-				(<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
235
-				requires to retry <b>in plain text</b> in case of encryption
236
-				handshake failure.<br/>
237
-				So, for SMTP, there is a compromise to make between strong
238
-				configuration, leading to plain text fallback for old or badly
239
-				configured MTA, and compatibility with such MTA to use weak
240
-				encryption better than plain text but allowing downgrade attack
241
-				on stronger MTA.<br/>
242
-				Given email is a real nightmare for security, with multiple way
243
-				to force a connection to fallback to plain text
244
-				(<a href="https://www.eff.org/fr/deeplinks/2014/11/starttls-downgrade-attacks">STARTTLS stripping</a>,
245
-				<a href="https://labs.ripe.net/Members/stephane_bortzmeyer/dns-censorship-dns-lies-seen-by-atlas-probes">MX lying</a>…),
246
-				CryptCheck scores SMTP as HTTPS or XMPP and doesn't care about
247
-				compatibility trouble. This way, weak people are still weak, but
248
-				strong people can (not too much) hope strong encryption under
249
-				normal condition.<br/>
250
-				Be advice than strong score here for SMTP means compatibility
251
-				troubles.
252
-				Or fucked service which doesn't take care of your security.
253
-				I don't know, you turn to judge.
254
-			</p>
4
+			<%= render partial: 'scoring' %>
255 5
 		</div>
256 6
 	</div>
257 7
 </div>

Loading…
Cancel
Save