3 years ago · aa5743577d
--- a/app/assets/images/liberapay.svg
+++ b/app/assets/images/liberapay.svg
--- a/app/assets/stylesheets/application.scss.erb
+++ b/app/assets/stylesheets/application.scss.erb
@@ -27,8 +27,17 @@
 	box-sizing: border-box;
 }

 $navbar-offset: $navbar-height + 10px;
 body {
 	padding-top: $navbar-height + 10px;
 	padding-top: $navbar-offset;
 }

 :target:before {
 	display: block;
 	content: " ";
 	margin-top: -$navbar-offset;
 	height: $navbar-offset;
 	visibility: hidden;
 }

 .label-error, .progress-bar-error {
@@ -40,7 +49,7 @@ body {
 }

 table.center {
 	td, th {
 	td {
 		text-align: center;

 		&.left {
--- a/app/assets/stylesheets/site.scss.erb
+++ b/app/assets/stylesheets/site.scss.erb
@@ -1,10 +1,14 @@
 #about, #help {
 	margin-bottom: 20px;
 }

 #about, #help .scoring {
 	p {
 		font-size: 1.25em;
 	}
 }


 #donorbox {
 	background: #2d81c5 url(<%= image_path 'donorbox.png' %>) no-repeat 18px center;
 	color: #fff;
--- a/app/helpers/check_helper.rb
+++ b/app/helpers/check_helper.rb
@@ -54,7 +54,7 @@ module CheckHelper
 	end

 	def rank_label(rank)
 		l = %i(V T).include? rank
 		l = %i(0 V T X).include? rank
 		label rank, rank_color(rank), !l
 	end

--- a/app/helpers/site_helper.rb
+++ b/app/helpers/site_helper.rb
@@ -1,3 +1,11 @@
 module SiteHelper
 	include CheckHelper

 	def rfc_link_to(rfc)
 		link_to "RFC #{rfc}", "https://tools.ietf.org/html/rfc#{rfc}", target: :_blank
 	end

 	def wikipedia_link_to(content, page)
 		link_to content, "https://en.wikipedia.org/wiki/#{page}", target: :_blank
 	end
 end
--- a/app/views/site/_checks.html.erb
+++ b/app/views/site/_checks.html.erb
@@ -0,0 +1,301 @@
 <h1>Checks</h1>
 <h2>Protection</h2>
 <h3>Hard protection</h3>

 <p>
 	Such protection are hard or risky to deploy but give strong protection
 	against attack.<br/>
 	Deploying such protection can just break your service for a long time if you
 	don't understand what you are doing.<br/>
 	Service using such protection really tries to protect you and really know
 	what security is.
 </p>
 <hr/>

 <h4 id="hpkp">
 	<%= rank_label :A %>
 	HTTP Public Key Pinning (HPKP)
 	<span class="small">HTTPS only, incoming feature</span>
 </h4>

 <p>
 	HPKP protection, specified in <%= rfc_link_to 7469 %>, consists of putting
 	headers on HTTP response to specify which keys or certificats are allowe
 	for the encryption.
 	If pinning mismatches, for example because of a
 	<%= wikipedia_link_to 'man-in-the-middle attack', 'Man-in-the-middle_attack' %>
 	connection is rejected and no data at all is transfered.
 </p>

 <pre>
 	<code>
 $ curl -sI https://cryptcheck.fr/ | grep public-key-pins
 public-key-pins: report-uri="https://aeris.report-uri.io/r/default/hpkp/enforce"; max-age=5184000;
 		pin-sha256="wdkD38iQQzxE7g0RpmN8VoaIqX7YmPWwoueD9Iqawfg="; pin-sha256="EswdUzfH2N8sx6Nb4Vr9gamtNF5VWQxLWUG0gDIPVLw=";
 	</code>
 </pre>

 <p>
 	HPKP is difficult to deploy because has a redemption period of some days
 	(maximum allowed: 60). During this time, in case of misconfiguration,
 	returning visitors will faced a TLS error page, even if the configuration
 	was fixed.
 </p>

 <hr/>

 <h3>Medium protection</h3>

 <p>
 	Such protection is not so easy to deploy and can have hazardous side effects,
 	but provides quiet good protection against some attacks.<br/>
 	Broken service is unexpected or could be fixed in a small time range.<br/>
 	Using such protection is a clear sign the service try to protect you.
 </p>

 <hr/>

 <h4 id="hsts">
 	<%= rank_label :A %>&nbsp;<%= rank_label :B %>
 	HTTP Strict Transport Security (HSTS)
 	<span class="small">HTTPS only</span>
 </h4>

 <p>
 	HSTS protection, specified in <%= rfc_link_to 6797 %>, consists of putting
 	headers on HTTP response to specify the service supports HTTPS.<br/>
 	After the first connection (HSTS is
 	"<%= wikipedia_link_to 'Trust On First Use', 'Trust_on_first_use' %>" (TOFU)),
 	the browser automatically rewrite <code>http://</code> address to
 	<code>https://</code>, avoiding a plain request (with potential data leak)
 	to be asked by the service to redirect to the <code>https://</code> address.
 </p>

 <pre>
 	<code>
 curl -sI https://cryptcheck.fr/ | grep strict-transport-security
 strict-transport-security: max-age=31536000; includeSubDomains; preload;
 	</code>
 </pre>

 <p>
 	To have full score on HSTS, you need to have a long <code>max-age</code>
 	period, at least 1 year (<code>31536000</code> seconds).<br/>
 	If you correctly configure your service with HSTS, you can also ask for
 	<a href="https://hstspreload.org/" target="_blank">browser preloading</a>,
 	avoiding the trouble of the first connection.
 </p>

 <hr/>

 <h3>Easy protection</h3>

 <p>
 	Such protection is easy to deploy and without .<br/>
 	Broken service is unexpected or could be fixed in a small time range.<br/>
 	Using such protection is a clear sign the service try to protect you.
 </p>

 <hr/>

 <h4 id="aead">
 	<%= rank_label :C %>
 	Authentificated Encryption with Authenticated Data (AEAD)
 </h4>

 <p>
 	Since 2014, TLS (and SSL) suffers of
 	<a href="https://www.imperialviolet.org/2014/12/08/poodleagain.html" target="_blank">PODDLE</a>
 	vulnerability on the way padding is done during TLS handshake.
 	An attacker can play with this encrypted padding to guess underlying plain
 	data.<br/>

 	Any <%= wikipedia_link_to 'cipher mode operation', 'Block_cipher_mode_of_operation' %>
 	other than <%= wikipedia_link_to 'AEAD', 'Authenticated_encryption' %> is
 	vulnerable to this attack.
 </p>

 <p>
 	In practice, POODLE is a serious flaw for SSLv2/v3, which must be avoided
 	in all cases, but also for TLSv1.0/1.1.<br/>
 	Service operators must support AEAD cipher suite as soon as possible, to
 	avoid trouble when practical attack will be found on POODLE on TLS.<br/>
 	Such cipher suite is only available on TLSv1.2, so operators must disable
 	TLSv1.0 now, and TLSv1.1 as soon as possible.
 </p>

 <hr/>

 <h4 id="scsv">
 	<%= rank_label :C %>
 	TLS Fallback Signaling Cipher Suite Value (SCSV)
 </h4>

 <p>
 	SCSV, specify in <%= rfc_link_to 7507 %> is a TLS extension to allow a
 	client to signal to the server a previous hanshake attempt with higher TLS
 	version was done, but unsuccessfully.<br/>
 	This way, the server can detect a downgrade attack on the line, because
 	supporting better than the current TLS version.<br/>
 	Without this signaling value, the server has no way to distinguish between
 	a client supporting TLSv1.2 but downgraded to TLSv1.1 and a client TLSv1.1
 	only.<br/>
 	For example, this feature allows blocking of downgrade attack from TLSv1.2
 	(AEAD & PFS) to TLSv1.0 (nor AEAD nor PFS) to exploit POODLE vulnerability
 	more easily.
 </p>

 <p>
 	To activate SCSV, you just need a decent OpenSSL version (1.0.1j+).
 	LibreSSL currently doesn't have support for this.
 </p>

 <hr/>

 <h2>Weaknesses</h2>
 <h3>Future weakness</h3>

 <p>
 	This kind of weakness is theorical vulnerability but without practical
 	attack or with too much side effects to be able to patch it.
 </p>

 <hr/>

 <h3>Current weakness</h3>

 <p>
 	Such weakness knows practical attacks to break encryption.
 	Using such features is hightly discourage, and operators must take quick
 	actions to remove them.
 </p>

 <hr/>

 <h4 id="tlsv1.0">
 	<%= rank_label :F %>
 	TLSv1.0
 </h4>

 <p>
 	TLSv1.0 is vulnerable to
 </p>

 <hr/>

 <!--
 <h4 id="pfs">
 	<%= rank_label :F %>
 	Perfect Forward Secrecy (PFS)
 </h4>

 <p>
 	<%= wikipedia_link_to 'PFS', 'Forward_secrecy' %> is
 </p>

 <hr/>
 -->

 <h3>Deprecated feature</h3>

 <hr/>

 <h4 id="ssl">
 	<%= rank_label :G %>
 	SSLv2, SSLv3
 </h4>

 <p>
 	SSLv2 and SSLv3 are deprecated SSL protocol version.<br/>
 	Pratical attacks exist to decrypt SSL encrypted traffic to plain text in
 	some minutes with standard computer.
 	For SSLv3, it's
 	<a href="https://security.googleblog.com/2014/10/this-poodle-bites-exploiting-ssl-30.html" target="_blank">POODLE</a>
 	again.
 	For SSLv2, it's was supposed to never be in production because too bad and
 	broken cryptography under the hood.
 	<a href="https://drownattack.com/" target="_blank">DROWN</a> vulnerability
 	allows an attacker to decrypt encrypted traffic (even TLSv1.2!) as soon as
 	one of the servers used for the service supports SSLv2 with the same key.
 </p>

 <hr/>

 <!--
 <h4 id="rc4">
 	<%= rank_label :G %>
 	RC4
 </h4>

 <p>
 	<%= wikipedia_link_to 'RC4', 'RC4' %> is a stream cipher, recently known to
 	have
 </p>

 <hr/>
 -->

 <h4 id="sha1">
 	<%= rank_label :E %>&nbsp;<%= rank_label :G %>
 	SHA-1
 	<span class="small">incoming feature for HMAC</span>
 </h4>

 <p>
 	<%= wikipedia_link_to 'SHA-1', 'SHA-1' %> is a cryptographic hash function
 	used in TLS cipher suite.
 	<a href="https://shattered.io/" target="_blank">It was broken</a> in 2016.
 </p>

 <p>
 	SHA-1 is used in two parts of the handshake.<br/>
 	For <%= wikipedia_link_to 'HMAC', 'Hash-based_message_authentication_code' %>,
 	which protect each messages exchanged during handshake. Because lifetime of
 	such HMAC is very short (TCP/IP round trip), SHA-1 collision is not a real
 	trouble on this part.<br/>
 	For key exchange and authentication. Each certificate is signed by the issuer
 	certificate using a digest.
 	In this case, if SHA-1 digest is used and because certificate lifetime is
 	long (years to decades), collision on digest could allow an attacker to
 	forge a rogue certificate which match the real certificate digest, and so
 	to impersonate the TLS service behind.
 </p>

 <p>
 	SHA-1 signed certificates must be banned.<br/>
 	SHA-1 HMAC is currently quite safe, but operators must take action to ensure
 	SHA-2 compatibility with clients in case if SHA-1 must be revoked even for
 	HMAC.
 </p>

 <hr/>

 <h4 id="digest">
 	<%= rank_label :G %>
 	MD-5, MD-4, MD-2, MDC-2
 </h4>

 <p>
 	MD-5, MD-4, MD-2 and MDC-2 are completely broken hash function.
 	Just don't use it.
 </p>

 <h4 id="compression">
 	<%= rank_label :G %>
 	Compression
 	<span class="small">incoming feature</span>
 </h4>

 <p>
 	With TLS compression activated, some oracle attacks allow to decrypt the
 	content.
 	For example the
 	<a href="https://arstechnica.com/information-technology/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/" target="_blank">BREACH</a>
 	or
 	<a href="https://threatpost.com/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312/77006/" target="_blank">CRIME</a>
 	attacks.
 </p>

 <p>
 	TLS compression must be disabled on the service.
 </p>
--- a/app/views/site/_scoring.html.erb
+++ b/app/views/site/_scoring.html.erb
@@ -19,8 +19,8 @@
 	the client and the server.
 	This is the case if the attacker is connected on the same network as the
 	client (hotspot, 3G…) with simple
 	<a href="https://en.wikipedia.org/wiki/ARP_spoofing">ARP spoofing</a>,
 	doable with tools like
 	<%= wikipedia_link_to 'ARP spoofing', 'ARP_spoofing' %>, doable with tools
 	like
 	<a href="https://forum.xda-developers.com/showthread.php?t=1593990">Droid Sheep</a>.<br/>
 </p>

@@ -37,22 +37,22 @@
 	<tr>
 		<th rowspan="2">Score</th>
 		<td rowspan="2"></td>
 		<td colspan="3">Protection</td>
 		<td colspan="3">Weakness</td>
 		<th colspan="3">Protection</th>
 		<th colspan="3">Weakness</th>
 	</tr>
 	<tr>
 		<td>Best</td>
 		<td>Great</td>
 		<td>Good</td>
 		<th>Hard</th>
 		<th>Medium</th>
 		<th>Easy</th>

 		<td>Future</td>
 		<td>Weak</td>
 		<td>Deprecated</td>
 		<th>Future</th>
 		<th>Weak</th>
 		<th>Deprecated</th>
 	</tr>
 	</thead>
 	<tbody>
 	<tr>
 		<th><%= rank_label :'A+' %></th>
 		<td><%= rank_label :'A+' %></td>
 		<td class="left">
 			Seriously take security into account and invest a lot on it.<br/>
 			Whatever the cost, encryption safety is implemented.
@@ -66,7 +66,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :A %></th>
 		<td><%= rank_label :A %></td>
 		<td class="left">
 			Seriously take security into account and invest a lot on it.
 		</td>
@@ -78,7 +78,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :'B+' %></th>
 		<td><%= rank_label :'B+' %></td>
 		<td class="left">
 			Seriously take security into account and invest on it.
 		</td>
@@ -90,7 +90,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :B %></th>
 		<td><%= rank_label :B %></td>
 		<td class="left">
 			Take security into account and invest on it.
 		</td>
@@ -102,7 +102,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :'C+' %></th>
 		<td><%= rank_label :'C+' %></td>
 		<td class="left">
 			Take security into account and invest a little on it.
 		</td>
@@ -114,7 +114,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :C %></th>
 		<td><%= rank_label :C %></td>
 		<td class="left">
 			Take security into account but don't spend too much for it.
 		</td>
@@ -126,7 +126,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :D %></th>
 		<td><%= rank_label :D %></td>
 		<td class="left">
 			Take security into account. Minimaly.<br/>
 			This is the worst score a decent service must have today.
@@ -139,7 +139,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :E %></th>
 		<td><%= rank_label :E %></td>
 		<td class="left">
 			Take security into account. A little. Or not.
 		</td>
@@ -151,7 +151,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :F %></th>
 		<td><%= rank_label :F %></td>
 		<td class="left">
 			Just don't take security into account.
 		</td>
@@ -163,7 +163,7 @@
 		<td><%= image_tag 'check-empty.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :G %></th>
 		<td><%= rank_label :G %></td>
 		<td class="left">
 			Just don't take security into account at all.<br/>
 			What the fuck you do, dude?
@@ -176,7 +176,7 @@
 		<td><%= image_tag 'cross-red.svg' %></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :'0' %></th>
 		<td><%= rank_label :'0' %></td>
 		<td class="left">
 			No security at all. Just plain text.<br/>
 			Seriously, in <%= Date.today.year %>?
@@ -184,14 +184,14 @@
 		<td colspan="6"></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :V %></th>
 		<td><%= rank_label :V %></td>
 		<td class="left">
 			Invalid certificate (wrong domain, expired…)
 		</td>
 		<td colspan="6"></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :T %></th>
 		<td><%= rank_label :T %></td>
 		<td class="left">
 			Unstrusted certificate. Not issued by a trusted
 			<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">certificate authority</a>.
@@ -199,7 +199,7 @@
 		<td colspan="6"></td>
 	</tr>
 	<tr>
 		<th><%= rank_label :X %></th>
 		<td><%= rank_label :X %></td>
 		<td class="left">
 			Error occurs during the analysis. Try again later?
 		</td>
@@ -214,9 +214,9 @@
 			<%= image_tag 'check-full.svg' %> Fully implemented
 			<%= image_tag 'check-empty.svg' %> Partially implemented<br/>

 			Good: simple to implement, small protection<br/>
 			Great: quiet hard to implement, middle protection<br/>
 			Best: hard to implement, strong protection
 			Easy: simple to implement, small protection<br/>
 			Medium: quiet hard to implement, middle protection<br/>
 			Hard: hard to implement, strong protection
 		</td>
 		<td>
 			For weakness:<br/>
@@ -232,15 +232,14 @@

 <p>
 	<i>Note</i>: Unlike HTTPS or XMPP, SMTP uses
 	<a href="https://en.wikipedia.org/wiki/Opportunistic_TLS">opportunistic encryption</a>.<br/>
 	<%= wikipedia_link_to 'opportunistic encryption', 'Opportunistic_TLS' %>.<br/>
 	When you send an email, the server used to forward the mail (the
 	<a href="https://en.wikipedia.org/wiki/Message_transfer_agent">MTA</a>) to
 	the recipient has no way to guess in advance if recipient MTA supports or
 	not encryption and which cipher suite will be available.
 	<%= wikipedia_link_to 'MTA', 'Message_transfer_agent' %> to the recipient
 	has no way to guess in advance if recipient MTA supports or not encryption
 	and which cipher suite will be available.
 	To avoid your email returning to you in case of failure, the standard for
 	email encryption (<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>)
 	requires to retry <b>in plain text</b> in case of encryption handshake
 	failure.<br/>
 	email encryption (<%= rfc_link_to 3207 %>) requires to retry
 	<b>in plain text</b> in case of encryption handshake failure.<br/>
 	So, for SMTP, there is a compromise to make between strong configuration,
 	leading to plain text fallback for old or badly configured MTA, and
 	compatibility with such MTA to use weak encryption better than plain text
--- a/app/views/site/about.html.erb
+++ b/app/views/site/about.html.erb
@@ -69,13 +69,11 @@

 			<p id="contribute">
 				Bitcoin <a href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck">1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd</a><br/>
 				<a id="bitcoin" href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck">
 					<%= image_tag 'bitcoin.png', alt: 'Donate using Bitcoin' %>
 				</a>
 				<a id="bitcoin" href="bitcoin:1aerisnnLWPchhDSXpxWGYWwLiSFUVFnd?label=cryptcheck"><%= image_tag 'bitcoin.png', alt: 'Donate using Bitcoin' %></a>
 				<br/>

 				Liberapay, for recurring donation, require a account (but respect your privacy)<br/>
 				<a id="liberapay" href="https://liberapay.com/aeris/donate" target="_blank"><%= image_tag 'donate.svg', alt: 'Donate using Liberapay' %></a>
 				<a id="liberapay" href="https://liberapay.com/aeris/donate" target="_blank"><%= image_tag 'liberapay.svg', alt: 'Donate using Liberapay' %></a>
 				<br/>

 				Donorbox, for recurring and one-shot donation, doesn't require an account<br/>
--- a/app/views/site/help.html.erb
+++ b/app/views/site/help.html.erb
@@ -1,7 +1,12 @@
 <div id="help" class="container">
 	<div class="row">
 	<div class="scoring row">
 		<div class="col-sm-12">
 			<%= render partial: 'scoring' %>
 		</div>
 	</div>
 	<div class="checks row">
 		<div class="col-sm-12">
 			<%= render partial: 'checks' %>
 		</div>
 	</div>
 </div>