/ A Paul.Reviews Project

FAQs

General

What is Qualys?

Website - SSL/TLS (In Transit Encryption)

Qualys SSLLabs is a free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. More information can be found here.

Email Security

What is StartTLS?

Email Security

StartTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication.

Password Entry & Storage

Why are minimum & maximum lengths important?

Password Entry & Storage

A strong, secure password depends on several factors; complexity, length and uniqueness. A password should consist of a minimum of 12 characters (subject to change) to ensure it's sufficiently hard to break. Assuming it's unique and chosen at random, the greater the length, the stronger the password.

Why do some sites restrict supported characters?

Password Entry & Storage

If a password is stored in a safe & secure manner, such that it's only known to you, there are no technical constraints regarding which characters can be used. That said, a restriction doesn't necessarily mean they're stored insecurely either. Often, sites restrict which characters do so in a misguided attempt to mitigate risks to their own systems. Although not definitive, it's often a good indicator that the method of storage is not particularly safe.

Why is password storage important?

Password Entry & Storage

A password is, by definition, a shared secret. There are several methods of storage, each with their own benefits & drawbacks.

Plain Text:

Storing passwords in plain text should be avoided at all costs. If you must use a service which adopts this method, ensure your password is absolutely unique and bears no resemblance to any password you've chosen before.

Encrypted:

Under very limited circumstances, some sites may require knowledge of your chosen password (unified email inboxes, dialup authentication, APIs etc). When combined with solid key management, encryption allows your credentials to be protected whilst "at rest", but still allow the service to function as expected. The terms "encrypted" & "hashed" are often used interchangeably, but they are fundamentally different. As a service provider, there's only a need to encrypt/encipher a password if there's a need to decipher it later.

Hashed:

In the vast majority of cases, passwords should be hashed using an appropriate algorithm. As opposed to "encryption", hashing literally digests your password, such that it's almost impossible to obtain the original secret.

Use a password manager.

Authentication & Session Management

Why is logging in over HTTPS important?

Authentication & Session Management

HTTP offers absolutely no guarantee of privacy, integrity, authenticity or security... meaning data can be easily intercepted and read by an attacker. HTTPS/SSL/TLS offers greater protection by ensuring the initial login screen is authentic and any data sent is encrypted such that only authorised parties can read the contents.

I use a site which loads over HTTP but sends data via HTTPS. Am I safe?

Authentication & Session Management

No. The security & integrity of future pages is dependent entirely on that of the previous. If the initial login page is served over HTTP, your credentials can be compromised.

What is mixed-mode?

Authentication & Session Management

A site operating in "mixed mode" is willing to share your cookie/session information over an insecure protocol (HTTP). If an attacker is able to obtain your session information, they may not require your username/password in order to access your account.

Cookies

What is Session HTTP?

Cookies

If a cookie is marked as "HTTP Only", it is typically unavailable to & protected from scripts (malicious or otherwise) running on the page and, with only a few exceptions, is used purely by your browser during each request. If a script contained within the site requires access to your cookies, it's reasonable for a site to operate without this option.

What is Session Secure?

Cookies

If a cookie is marked as "Secure", it will only be sent back/forth using an encrypted protocol (HTTPS).

Response Headers

What is X-Frame-Options?

Response Headers

The header allows or disallows rendering of the document when inside an IFRAME. It is usually implemented to mitigate a "clickjacking" attack.

What is HSTS?

Response Headers

HSTS or HTTP Strict Transport Security is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. Once deployed, a site will never try to communicate over an insecure protocol (HTTP) until the TTL (time to live) value expires. This value is set by the site, although many browsers set sanity limits of around 2 months to ensure a site remains accessible in the event of a fault.

What is HPKP?

Response Headers

HPKP or HTTP Public Key Pinning is a security feature that tells a web client to associate a specific cryptographic public key with a certain web server to prevent MITM attacks with forged certificates.

What is CSP?

Response Headers

CSP or Content Security Policy is a security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks.

What is XSS?

Response Headers

XSS or Cross-Site Scripting is a header served by a site to enable a browsers built-in XSS protection, which may have been disabled by the user or system administrator.

What is Content Type Options?

Response Headers

Content Type Options prevents supported browsers from sniffing the type of data it's about to receive, forcing it to be interpreted as the type specified by the site.

Critical Issues

Which issues are classed as "critical"?

Critical Issues

Any vulnerability which potentially provides instant or near-instant access to critical system/user information with little/no real effort. Typical examples are SQL injection, Arbitrary Code Execution, Database / Server credential leaks, open & un-authenticated ports etc.

Serious Issues

Which issues are classed as "serious"?

Serious Issues

Any vulnerability which potentially provides access to system/user information with minimal effort required on behalf of the attacker. Typical examples are Stored / Reflected XSS, CSRF, broken authentication / session management etc.