Batista R. Harahap

SSL Audit - Top Indonesian Websites

I came across Qualys SSL Labs a few minutes ago while reading through Hacker News. Immediately triggered my interest to question how secure top websites in Indonesia when it comes to their SSL.

Urbanesia

Since I am at Urbanesia, the first goto is clear. Typed in Urbanesia.com and the initial audit result was needs more work.

So the audit results came back as a B. The server didn't mitigate BEAST attack and that's the main reason the grade was dropped. After a little digging up, the ciphers were the culprit and to mitigate the problem, nginx needs to be configured like below.

As it turs out, after putting the configuration at play, Urbanesia was still getting a B due to BEAST non-mitigation. The resources out there implies the above configuration so I'll have to settle for B until further digging.

Top Websites

So I was curious how other websites in Indonesia grades. Went ahead to do more testing and the report as of 27 June 2013 03:53:00 GMT+7 after this paragraph.

Kaskus

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=kaskus.co.id
Domain: kaskus.co.id
Grade: B
Certificate: 100
Protocol Support: 90
Key Exchange: 80
Cipher Strength: 90
BEAST: Non-mitigated

Detik

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=detik.com
Domain: detik.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Detik Connect

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=connect.detik.com
Domain: connect.detik.com
Grade: B
Certificate: 100
Protocol Support: 90
Key Exchange: 80
Cipher Strength: 90
BEAST: Non-mitigated

Kompas

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=kompas.com
Domain: kompas.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Kompas Logins

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=login.kompas.com
Domain: login.kompas.com
Grade: A
Certificate: 100
Protocol Support: 85
Key Exchange: 90
Cipher Strength: 90
BEAST: Non-mitigated

Update 28 June 2013: Kompas has since fixed this and now getting a big A. But there is one more thing they can do is to update their OpenSSL library to support a newer TLS version. Overall, fast response and decisive A factoring actions.

TokoBagus

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tokobagus.com
Domain: tokobagus.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Berniaga

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=berniaga.com
Domain: berniaga.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Tokopedia

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tokopedia.com
Domain: tokopedia.com
Grade: A
Certificate: 100
Protocol Support: 90
Key Exchange: 80
Cipher Strength: 90
BEAST: Mitigated

Updated 27 June 2013 13:28:00: William responded in Facebook and reworked Tokopedia's SSL implementation to upgrade their score from B to A. Swift and precise measures, the others should make Tokopedia as an example (including Urbanesia).

Bhinneka

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=bhinneka.com
Domain: bhinneka.com
Grade: F
Certificate: 100
Protocol Support: 0
Key Exchange: 90
Cipher Strength: 90
BEAST: Non-mitigated

LivingSocial

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=livingsocial.co.id
Domain: livingsocial.co.id
Grade: B
Certificate: 100
Protocol Support: 85
Key Exchange: 80
Cipher Strength: 90
BEAST: Non-mitigated
Note: Does not support TLS 1.2

Disdus

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=disdus.com
Domain: disdus.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Lazada

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=lazada.co.id
Domain: lazada.co.id
Grade: A
Certificate: 100
Protocol Support: 85
Key Exchange: 90
Cipher Strength: 90
BEAST: Mitigated
Note: Does not support TLS 1.2

Blibli

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=blibli.com
Domain: blibli.com
Grade: B
Certificate: 100
Protocol Support: 90
Key Exchange: 90
Cipher Strength: 90
BEAST: Non-mitigated

Tiket

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tiket.com
Domain: tiket.com
Grade: A
Certificate: 100
Protocol Support: 90
Key Exchange: 90
Cipher Strength: 90
BEAST: Mitigated

UPDATE 28 July 2013: Tiket.com now scores an A with 100/90/90/90 across the board.

Tiket2

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tiket2.com
Domain: tiket2.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Lion Air

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=secure2.lionair.co.id
Domain: secure2.lionair.co.id
Grade: C
Certificate: 100
Protocol Support: 85
Key Exchange: 40
Cipher Strength: 60
BEAST: Mitigated

Garuda Indonesia

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=booking.garuda-indonesia.com
Domain: booking.garuda-indonesia.com
Grade: F
Certificate: 100
Protocol Support: 87
Key Exchange: 0
Cipher Strength: 80
BEAST: Mitigated

Air Asia

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=airasia.com
Domain: airasia.com
Grade: C
Certificate: 100
Protocol Support: 90
Key Exchange: 40
Cipher Strength: 60
BEAST: Non-mitigated

KlikBCA

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=ibank.klikbca.com
Domain: ibank.klikbca.com
Grade: A
Certificate: 100
Protocol Support: 90
Key Exchange: 90
Cipher Strength: 90
BEAST: Mitigated

Bank Mandiri

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=ib.bankmandiri.co.id
Domain: ib.bankmandiri.co.id
Grade: A
Certificate: 100
Protocol Support: 85
Key Exchange: 90
Cipher Strength: 90
BEAST: Mitigated
Note: Does not support TLS 1.2

CIMB Clicks

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=www.cimbclicks.co.id
Grade: A
Domain: www.cimbclicks.co.id
Certificate: 100
Protocol Support: 90
Key Exchange: 90
Cipher Strength: 90
BEAST: Mitigated

Veritrans

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=payments.veritrans.co.id
Domain: payments.veritrans.co.id
Grade: B
Certificate: 100
Protocol Support: 90
Key Exchange: 90
Cipher Strength: 90
BEAST: Non-mitigated

iPaymu

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=my.ipaymu.com
Domain: my.ipaymu.com
Grade: B
Certificate: 100
Protocol Support: 85
Key Exchange: 80
Cipher Strength: 90
BEAST: Non-mitigated
Note: Checked the domain for iPaymu's API transaction

Doku

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=doku.com
Domain: doku.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

Finpay

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=portalfinpay.com
Domain: portalfinpay.com
Grade: SSL Certificate Mismatch
Certificate: SSL Certificate Mismatch
Protocol Support: SSL Certificate Mismatch
Key Exchange: SSL Certificate Mismatch
Cipher Strength: SSL Certificate Mismatch
BEAST: SSL Certificate Mismatch

Midazz

SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=midazz.com
Domain: midazz.com
Grade: No SSL Support
Certificate: No SSL Support
Protocol Support: No SSL Support
Key Exchange: No SSL Support
Cipher Strength: No SSL Support
BEAST: No SSL Support

So as the results above says, it's quite the risky business for E-Commerce consumers in Indonesia. Bhinneka ranking 58 according to Alexa.com scores an F. Tiket.com is using an older set of daemon/SSL Ciphers, they need to harden while Tiket2 needs to buy an SSL certificate. Other E-Commerce websites like TokoBagus, Disdus and Berniaga doesn't even support SSL.

On the other hand, websites scoring an A were mostly banks which are KlikBCA, Bank Mandiri and CIMB. Applause for Lazada for also scoring an A.

What I found most disappointing were payment gateways except for Veritrans. Veritrans implements a rather secure API mimicking OAuth's flow requiring all requests to be signed with a secret key, they also scored a B.

iPaymu was scoring a B but after going through their API Documentation, it was appalling to say the least. All of the requests to their API doesn't need any public/private token pair, in fact just a plain token. Definitely needs more attention to their security practice.

For Doku and Finpay, I don't know their API endpoints if any but a check to their root domain names yield disappointing results as well. Doku does not support SSL while Finpay has an SSL certificate mismatch. Not what you expected from a payment gateway. I'm out of -(superlatives) for these two. Midazz is pretty much exactly like Doku, they don't understand the needs for SSL.

Airlines have the worst SSL audit of all the other websites. Lion Air and Air Asia got a C while Garuda Indonesia got an F! Airlines especially Garuda Indonesia needs to find better resources in securing their customer's transactions on their websites. Totally unacceptable! How can you pay hundreds of millions of dollars on airplanes and fail miserably at this?

So there you go, Top Indonesia websites awareness for SSL.

27 June 2013 by Batista Harahap on audit | indonesia | ssl | websites
comments powered by Disqus