Website security

Just as request and encouragement for XOJO staff: Please improve the security of xojo.com website. Actually it fails completly in known security tests and doesn’t support SSL by default. One reason for using XOJO for Web Apps is its security. But I run short of arguments when confronted with these F-class ratings of xojo.com

https://observatory.mozilla.org/analyze.html?host=www.xojo.com
https://www.ssllabs.com/ssltest/analyze.html?d=xojo.com

I’ve started a prize competition recently, offering everybody a free 60 Min flight in an airplane over South Westphalia (my local area) if he can show me a more secure Website. Get more information here (sorry in german only, please use Google Translate): https://jakobssystems.net/sicherste-website-in-suedwestfalen/

Maybe as inspiration for others…

Well, Apple gets a D, Google a C-, Microsoft a D+, Mozilla a B+, etc

I have to wonder how useful the rating really is …

Well Markus, these particular check-suites represents an Industry-Standard. Known techniques like HSTS and checks agsinst poodle, openSSL, broken 3DES chiphers and other crosssite vulnerabilities. Did you know that over 1000 Shops in Germany are leaked?

I do not care about other ratings and I could name you a lot of first class secure Websites like twitter.com.
It’s about liability and security and my intentions as Developer is to build the most secure and robust Apps and Websites.

I’m not sure how useful this is. A public informational site is not designed to be secure, nor does it need to be, but the first tool seems to assume it’s meant to be and “grades” against that assumption.

Have I missed something?

Kem, but it’s not just informational. It has a webshop, online-payment and more. You’re right in saying a grade alone does not tell you anything about Security. Somebody could have an A+ grade though if the passwort is visible on a whiteboard behind you, he or she failed.

These tests show, that the website is not “state-of-the-art”, “industrial-strength” and that security is not “woven into the core” as Xojo is claiming here.

This claim is about Xojo Cloud, though. And the part takes online payment, etc., was not tested, nor can I see a way to test it.

Kem it’s not my intention to blame anybody or to get lost into details. I believe that both, xojo and we as developers and customers would benefit from a more secure website with better ratings. And I believe that this can be achieved with minimal config changes. First step could be SSL by default. 2nd step in securing Cookies and stopping Cross-Site vulnerabilities.

Can I email a link in for https://thezaz.com/ and win ? Its A+ & A+ :smiley: (lifted from another thread, hehe)

Just noticed they need to come from a certain area, boo :wink:

@JulianS: Yes unfortunately this domain doesn’t seem to come from South Westphalia but Julian, if you manage to come and visit me from the UK, I’ll take you with me for a ride in an airplane. We could reenact the Dam Busters If you’re interesed in history. The Möhne is close to my location :slight_smile:

just think about it: Only 50.000 out of 3 Million of tested Websites on Mozilla.org do have an A . The overwhelming majority (2.5 Mio) is F-rated, just 1.6 percent of the webs can be declared safe. This is annoying. These numbers are real, they are not from some SEO optimizing-we-tell-you-anything-you-pay company.

I bet those who are poorly rated simply did not implement SSL …

Michel, yes SSL would help a lot in a 1st step. It’s a brick in the huge wall named “Security Concept”. How many Servers implemented SSL encryption but using old 3DES chiphers? This is why I am using SSL Labs as 2nd test suite to detect known exploits and check my own implementations of hosted servers.

Tomas, while I understand what you are after, I must point out that if a web site for a bank must have the highest security, it is of less importance when all it displays is garment for instance, and payment are carried out by Paypal which has its own security.

Not all web sites have their customers log in and keep some personal information. Mine are an example. I purposely don’t log anything, so even if a hacker was to access the site, he would find no address, no name, no credit card number, no password, zilch.

I believe the prism of automatic testing ranking sites without knowing their purpose is valid only within specific parameters you, as human must be conscious of.

I would like to agree but I cannot. Just some thoughts about this - call me security-paranoid :wink:

  1. There are several attack vectors who could compromise even an simple informational website with cross-site scripting or - the latest scenario - autofill phishing - a hidden form grabs Autofill Items of your browser and leaks it to someone else.

  2. Most Websites are more business platforms. They offer account settings, contact forms, payments (even when conducted via paypal, the information is collected on the website first before handed over). It would be easy to compromise a Contact form or mailsender script . Just as simple example. Somebody contacted you via your website, but a cross-side script redirected this and is answering your customer by mail or fake redirection target “Thank you, please transfer your money to xyz.”

  3. It’s a matter of trust. Imagine you’ve been hacked and you’ve decided to find a guy who could help you out. Would you trust somebody who offers security but fails with his own website or software in known online-pen-tests? This is why I love XOJO and the philosophy behind. The IDE is based on XOJO itself. XOJO eats their own food.

Besides paranoid, you are too narrow sighted IMHO. All cases you cite imply that the operator of the site be stupid enough to have a weak password. That is not realistic.

But as a friend of mine used to say “It is not because you are paranoid that nobody is following you on the street”.

Well, if you are set to sell security, this is exactly the crying wolf that sells. Scare people, get the dough…

Indeed, Yahoo leaks of 1 BILLION user’s data is not realistic :wink:

Don’t mix everything. There is a huge difference between a small catalog and that behemoth. Jeez…

[quote=309356:@Michel Bujardet]Besides paranoid, you are too narrow sighted IMHO. All cases you cite imply that the operator of the site be stupid enough to have a weak password. That is not realistic.
[/quote]

You don’t believe how ppl are dealing with their passwords… by the way it happend in france last year… http://www.bbc.com/news/world-europe-32248779

You said the operator of the site can’t be stupid enough…
So if a behemoth like Yahoo can fail this way, can you imagine a smaller and less checked site?

I recall that.

But if I may, when one starts digging, a lot of famous cases are less about technical weaknesses than about human stupidity. In the case of France 5 there was a big suspicion it was the result of fishing.

Social engineering like that is far more common a cause of big hacks than other causes.

For everything you can always cite one case. I do hope that most site owners are less stupid than Yahoo. Call me naive, I still have hope in humanity.