Examples of "vulnerability" reports I've received:
- Dump of CVEs for "Web App X" or "Server X", even though literally zero of them apply to the version that I'm currently running.
- Dumps of port scans with warnings like "Running SSH on port 22 is not recommended" and "Server accepts HTTP. Always use HTTPS".
I assume there are tools that generate these reports because the reports use decent English but the accompanying emails are written in very broken English.
What's the justification for running a host that responds to HTTP and doesn't immediately upgrade to HTTPS?
I'm having a hard time imagining a scenario where I manage a web server that is accessible to anonymous people running pen scanners on it that has a justifiable reason for broadcasting port 80.
No that's the point, the generation script recognizes that the server issues an HTTP-compliant response (which 301 Moved Permanently is) on port 80 and dumbly generates that false-positive, not understanding that the only responses on port 80 are to upgrade to HTTPS.
Could you elaborate on this? I'm curious as to how a setup like this would work in practice. Many people in my family live in rural areas so the topic of restricted bandwidth/poor connection quality is of great interest to me.
“But there I stood anyway, hoping my requests to load simple web pages would bear fruit, and I could continue teaching basic web principles to a group of vocational students. Because Wikipedia wouldn’t cache. Google wouldn’t cache. Meyerweb wouldn’t cache. Almost nothing would cache.
Why?
HTTPS.”
Thanks for the excellent link, discussed on HN a while ago [1]. For those that think an sslstriping proxy would solve it please remember that this would degrade the security for requests that really have to be encrypted.
- Dump of CVEs for "Web App X" or "Server X", even though literally zero of them apply to the version that I'm currently running.
- Dumps of port scans with warnings like "Running SSH on port 22 is not recommended" and "Server accepts HTTP. Always use HTTPS".
I assume there are tools that generate these reports because the reports use decent English but the accompanying emails are written in very broken English.