overleaf
Tighten SSL security on nging proxy
The current configuration of nginx is obsolete and need to be reviewed to reduce attack surface.
Steps to Reproduce
Use overleaf with nginx proxy Use https://testssl.sh for testing
Expected Behaviour
Security of the product will be greatly improved.
Observed Behaviour
Here some partial results of my security audit:
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 not offered and downgraded to a weaker protocol NPN/SPDY http/1.1 (advertised) ALPN/HTTP2 http/1.1 (offered)
Testing cipher categories
NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) offered (OK)
Testing vulnerabilities
Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) Ticketbleed (CVE-2016-9244), experiment. not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) no HTTP compression (OK) - only supplied "/" tested POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://search.censys.io/search?resource=hosts&virtual_hosts=INCLUDE&q=AC9987FC38611AA90865FE2BEDF9F504AF51BA806976F0B59354C2C38A70C699 LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES128-SHA AES128-SHA ECDHE-RSA-AES256-SHA AES256-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK)
Running client simulations (HTTP) via sockets
Android 6.0 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Android 7.0 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH (P-256) Android 8.1 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Android 11 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Android 12 (native) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Chrome 79 (Win 10) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Chrome 101 (Win 10) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Firefox 66 (Win 8.1/10) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Firefox 100 (Win 10) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) IE 6 XP No connection IE 8 Win 7 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) IE 8 XP No connection IE 11 Win 7 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win Phone 8.1 TLSv1.2 ECDHE-RSA-AES128-SHA256, 256 bit ECDH (P-256) IE 11 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Edge 15 Win 10 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) Edge 101 Win 10 21H2 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Safari 12.1 (iOS 12.2) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Safari 13.0 (macOS 10.14.6) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Safari 15.4 (macOS 12.3.1) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Java 17.0.3 (OpenJDK) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) go 1.17.8 TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) LibreSSL 2.8.3 (Apple) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) OpenSSL 3.0.3 (git) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) Apple Mail (16.0) TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Thunderbird (91.9) TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
Analysis
The solution requires modifications in nginx.conf to remove the vulnerabilities outlined in bold/italic above
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
#ssl_ciphers ECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY>
DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
The following will not function with overleaf anymore, however I wonder if this is still in use:
IE 6 XP No connection
IE 8 Win 7 No connection
IE 8 XP No connection
IE 11 Win 7 No connection
IE 11 Win 8.1 No connection
IE 11 Win Phone 8.1 No connection
