Insecurity chain - security issues - abuse - non-secure facebook RC4 cipher!

The Interwebs can be an insecure and sometimes “scary” place.
See as this site fell victim to mass defacement: http://killmalware.com/sasmode.com/#
while google safebrowsing blacklisted for phishing. Going over here: http://toolbar.netcraft.com/site_report?url=http://sasmode.com

Now see a chain of scan events develop that does not make us overtly enthusiast with overall security situation of the Internet.
(remarks by me, polonus)

We stumble on a collection of scripts like these loaded (Facebook):
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yP/r/D7aV-zChJ6K.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/y5/r/8WZ9hgfBhS7.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2ilGs4/yi/l/en_US/4qrD3y3yvmJ.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2i1EQ4/y1/l/en_US/MVPtmVbCShi.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/ye/r/7PKktC35Nw6.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2iHoX4/yv/l/en_US/k3PsNK4Ozcc.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yI/r/7ni7Jt-VdpR.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yJ/r/-MUfRKA9o0a.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2iLkL4/yD/l/en_US/wKnsjrOHxP4.js
Script loaded: -https://static.xx.fbcdn.net/rsrc.php/v2/yZ/r/5HrtazP4FzJ.js

Also consider the scan here: https://urlquery.net/report.php?id=1463518357070

Then from the certificate crypto report we have to conclude that facebook offers RC4
This server uses the RC4 cipher algorithm which is not secure. Disable the RC4 cipher suite and update the server software to support the Advanced Encryption Standard (AES) cipher algorithm. Contact your web server vendor for assistance.
For which we get a warning.
Not very bold security configuration: Strict Transport Security (HSTS):
Not Enabled
SSL/TLS compression:
Not Enabled
Heartbeat (extension):
Not Enabled
RC4:
Enabled
OCSP stapling:
Not Enabled

So good that website was blacklisted and blocked. I would also be cautious using data over -https://static.xx.fbcdn.net/
it could be “somehat more secure” to word it politely.

polonus (volunteer website security analyst and website error-hunter)

P.S. So there is two form of insecurity around

    • insecurity because of not-knowing-how-to - incompetence or not being properly trained or
    • insecurity by clever design to be able to better perform surveillance or the one posing as the other…

D

Google is now leaving RC4 for GMail.
Why is Twitter and Facebook still clinging onto RC4?
It is all a matter of cost evaluation over security.
Run the following command from shell/terminal:
openssl speed rsa
And from the results you will see that RC4 is 3,6 times faster operational.
And that translates in dollars, does not it?

polonus