Website grades have changed

Just like your certificates, your website have a security score too. This has been available in ShadowTrackr for a while, but wasn’t actively used or included in reports or graphs. Since most clients had quite a lot of bad grades, I wasn’t really sure how we should handle this.

No pain, no gain though. Since the goal is to improve your security, at some point these bad grades had to make an entry. That just happened, and quite a few of you will see extra red dots appear on your graphs and under reports.

We’ll start slowly with marking every website graded ‘F’ as a problem. Anything between A and F will be a warning for now (but note that we’ll get stricter at some point in the future). The grades are based on the Mozilla Observatory scores.

So, what do you do now? Work on improving your website security of course! For some quick fixes to get you out of the red, set these HTTP headers in your webserver:

X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains

If you want even better scores, read up on Content-Security-Policy and Subresource-Integrity.

Add your own private certificate authority

Also, the GUI had a big update this week. But first the private CA thing. One client has numerous test systems facing the internet on which they use certificates issued by a private Certificate Authority. If you can add the CA manually to the browsers used for testing, that works fine of course. The thing is, since that CA is not known to monitoring services like ShadowTrackr, it will affect your grade. This client had quite the list of trust issues in their certificate report. Since this was intended behaviour, they asked for the option to ignore these.

If you have a similar issue, you can now add your own trusted certificate issuers under Settings->General. Any certificate from this issuer will be treated and scored as if the issuer was part of the trust list, and it will be graded without looking at the trust issue. The name of the certificate issuers you manually add to your ShadowTrackr trust list will appear in green everywhere (instead of blue), so it’s easy to recognise later on.

The rest of this update was all about getting the user interface more consistent. The weekly pdf had some major improvements, and we made the same changes under the reports sections. This makes it much easier to find the problems from your report in the online version and lookup more context.

Since the problems are now appearing under reports, the problem section in the menu has become redundant and is removed. The format of all online reports has also changed and all reports now use the same layout. This makes the UI much more consistent and easier to understand.

Weekly pdf report additions

Last week you saw our brand new weekly report. We got a lot positive reactions, and a few bugs. The bugs are fixed in this week’s version, and we’ve added two new report items to both the pdf and the webinterface.

The first is “Cloud providers detected”. Some of you are interested to know in which clouds your assets live. Since our scanning nodes are already tracking those, it was easy to add an overview. You’ll see a list of cloudservices and the domains that are hosted there behind them.

The second new item is “Datadump & code repository detections”. ShadowTrackr monitors a list of datasump sites (like Pastebin) and code repositories (like GitHub) for the keywords you have given us. Since this week, we also automatically check if we see any of your domains referenced in these source. Both keyword and domain hits will be listed.

Enjoy the new version!