Aftermath of Logjam

Last week the logjam attack was disclosed. An attack on TLS which is used in many protocol including including HTTPS, SSH, IPsec, SMTPS … The attack relies on the fact that it is possible to negotiate inferior keys for the Diffie-Hellman key exchange. An nice explanation has been put together by cloudflare

We are currently creating PatrolServer, a webapp that will check servers for potential outdated software and possible exploits. This TLS attack was a nice welcome for us to test our capabilities and what we can expect from such a webapp. We created a small scanner where people could provide and test their website/server.

Since it was our first time, it took quite some time before our scanner was ready. We weren’t prepared and still had to make a small infrastructure for this one-off test and add a little bit of a decent layout. Half a day after the facts we were live and we could redirect people to our tool and hope they would fix their server.

“To measure is to know”Sir William Thomson

Our first objective on getting people to test their server went smoothly. Over three days we were just short of testing 2000 unique servers. In most cases their own server, but some people also were naughty enough to test corporate servers like google, gmail, banks, yahoo, reddit … We even had somebody out of Toledo (Spain) abusing the system to generate a list of all vulnerable sites. Upon detection he was off course banned. Some ideas came to mind like always returning either vulnerable or not vulnerable or even returning random results. Though we decided to just hide the results. Maybe we can do something alike next time. We also got a request on twitter (twitter.com/patrolserver) to enable SNI hosts. Which we didn’t supported at the time. We want to thanks everybody that used the tool and the suggestions. Always appreciated.

“Those who have the privilege to know have the duty to act.” — Albert Einstein

The second objective, the paramount goal of our little startup, is to get people to fix their servers. The Open Web Application Security Project (OWASP) scored server misconfiguration and not updating servers on the fifth position in their top 10 web application security list. On our tool we saw a lot of servers were outdated. We saw that 30% of our tests returned an affected state.

A week later we reran the list to see how things have progressed and saw only one server that actually fixed the problem afterwards. That is quite low. People know their server has a problem, but they don’t act on it. We assume that is something we will also see in the full webapp. The biggest goal of PatrolServer, after reporting issues with a server, will be to engage people to fix the issues. How is a bigger question. We are still trying to figure that part out. We already have a lot of ideas, but also need to find the right balance between annoying people and being helpful about vulnerabilities. If you got a suggestion please let us know!

Closing remarks: PatrolServer is getting actively developed. The platform to detect outdated software is in place. We already have support for some software, but we still want to increase the list. The frontend has gotten some layout love, which isn’t quite finished yet. In the close future we will probably start a closed or open beta in order to get some early feedback. Anybody wanting to get notified about this milestone and/or anybody wanting to test drive the platform on their server can enter their email address here:
[smlsubform]