Bing dot com - You would not believe this until you see the scan results!

Seems that many a server is still vulnerable to the so-called DROWn attack and this one also has insecure security header configuration!
Checked this and it fits the Hall of Shame: https://securityheaders.io/?q=https%3A%2F%2Fbing.com
Results for bing.com
Sites that use the certificates below are vulnerable to eavesdropping. Attackers may be able to decrypt recorded traffic and steal data.
Update server software at all IP addresses shown, and ensure SSLv2 is disabled.
Would you believe these results?
https://test.drownattack.com/?site=bing.com :o supports SSLv2 export ciphers

polonus

Take a look ast this:

https://securityheaders.io/?q=https%3A%2F%2Fjobboerse.arbeitsagentur.de%2F

Our countries employment Exchange…

Take a look at your PMs please, even worse.

Only caching headers are securely implemented.
This seems reasonable: http://toolbar.netcraft.com/site_report?url=https://jobboerse.arbeitsagentur.de (on a bad zone)
PFS not implemented and SSL3 not supported.
DNS seems OK: http://www.dnsinspect.com/arbeitsagentur.de/1459176122
The use of Dojo on the website certainly expands the attack surface considerably:
Dojo exploits https://www.exploit-db.com/exploits/33764/ & https://www.cvedetails.com/vulnerability-list/vendor_id-7641/product_id-12940/Dojotoolkit-Dojo.html

pol

Update Another big alt-news site, of which you would not believe the potential CMS insecurity!

What site, well see here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=ip73.ip-149-56-231.net&ref_sel=GSP2&ua_sel=ff&fs=1 redirects to →
-http://adserver.adtechus.com/adserv/3.0/5235/2562505/0/170/ADTECH;cookie=info;loc=300;key=key1http://aka-cdn-ns.adtechus.com/images/AT170_300x250_4.gif for -https://www.prisonplanet.com/ (uBlock Origin will block adserver dot adtechus dot com).

CMS Outdated WordPress Version
4.7
Version does not appear to be latest 4.8.3 - update now.

These settings are wrong, admin Tim: Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

ID User Login
1 admin admin
2 Tim tim
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

One plug-in outdated: wp-super-cache 1.4.9 latest release (1.5.8) Update required
https://wordpress.org/plugins/wp-super-cache/

See privacy score, security headers not set, attack vulnerability: https://privacyscore.org/site/34971/
1 hidden Flash cookie tracking.

Oh and a retirable vuln. jQuery library detected: http://retire.insecurity.today/#!/scan/50d7a1d0cb3d0054eddc556cb4ed3938f3fef02dae0691ea7cc0d4c008ad8b65

Tracking can it be avoided, I think it has almost become impossible, but security could be better upheld!

polonus (volunteer website security analyst and website error-hunter)