The Interwebs can be an insecure and sometimes “scary” place.
See as this site fell victim to mass defacement: http://killmalware.com/sasmode.com/#
while google safebrowsing blacklisted for phishing. Going over here: http://toolbar.netcraft.com/site_report?url=http://sasmode.com
Now see a chain of scan events develop that does not make us overtly enthusiast with overall security situation of the Internet.
(remarks by me, polonus)
We stumble on a collection of scripts like these loaded (Facebook):
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yP/r/D7aV-zChJ6K.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/y5/r/8WZ9hgfBhS7.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2ilGs4/yi/l/en_US/4qrD3y3yvmJ.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2i1EQ4/y1/l/en_US/MVPtmVbCShi.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/ye/r/7PKktC35Nw6.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2iHoX4/yv/l/en_US/k3PsNK4Ozcc.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yI/r/7ni7Jt-VdpR.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yJ/r/-MUfRKA9o0a.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2iLkL4/yD/l/en_US/wKnsjrOHxP4.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yZ/r/5HrtazP4FzJ.js
Also consider the scan here: https://urlquery.net/report.php?id=1463518357070
Then from the certificate crypto report we have to conclude that facebook offers RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
For which we get a warning.
Not very bold security configuration: Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Not Enabled
RC4:
Enabled
OCSP stapling:
Not Enabled
So good that website was blacklisted and blocked. I would also be cautious using data over -https://static.xx.fbcdn.net/
it could be “somehat more secure” to word it politely.
polonus (volunteer website security analyst and website error-hunter)
P.S. So there is two form of insecurity around
-
- insecurity because of not-knowing-how-to - incompetence or not being properly trained or
-
- insecurity by clever design to be able to better perform surveillance or the one posing as the other…
D