I came across Qualys SSL Labs a few minutes ago while reading through Hacker News. Immediately triggered my interest to question how secure top websites in Indonesia when it comes to their SSL.
Urbanesia
Since I am at Urbanesia, the first goto is clear. Typed in Urbanesia.com and the initial audit result was needs more work. So the audit results came back as a B. The server didn't mitigate BEAST attack and that's the main reason the grade was dropped. After a little digging up, the ciphers were the culprit and to mitigate the problem, nginx needs to be configured like below. As it turs out, after putting the configuration at play, Urbanesia was still getting a B due to BEAST non-mitigation. The resources out there implies the above configuration so I'll have to settle for B until further digging.Top Websites
So I was curious how other websites in Indonesia grades. Went ahead to do more testing and the report as of 27 June 2013 03:53:00 GMT+7 after this paragraph.
Kaskus
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=kaskus.co.id Domain: kaskus.co.id Grade: B Certificate: 100 Protocol Support: 90 Key Exchange: 80 Cipher Strength: 90 BEAST: Non-mitigated
Detik
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=detik.com Domain: detik.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Detik Connect
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=connect.detik.com Domain: connect.detik.com Grade: B Certificate: 100 Protocol Support: 90 Key Exchange: 80 Cipher Strength: 90 BEAST: Non-mitigated
Kompas
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=kompas.com Domain: kompas.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Kompas Logins
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=login.kompas.com Domain: login.kompas.com Grade: A Certificate: 100 Protocol Support: 85 Key Exchange: 90 Cipher Strength: 90 BEAST: Non-mitigated
Update 28 June 2013: Kompas has since fixed this and now getting a big A. But there is one more thing they can do is to update their OpenSSL library to support a newer TLS version. Overall, fast response and decisive A factoring actions.
TokoBagus
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tokobagus.com Domain: tokobagus.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Berniaga
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=berniaga.com Domain: berniaga.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Tokopedia
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tokopedia.com Domain: tokopedia.com Grade: A Certificate: 100 Protocol Support: 90 Key Exchange: 80 Cipher Strength: 90 BEAST: Mitigated
Updated 27 June 2013 13:28:00: William responded in Facebook and reworked Tokopedia’s SSL implementation to upgrade their score from B to A. Swift and precise measures, the others should make Tokopedia as an example (including Urbanesia).
Bhinneka
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=bhinneka.com Domain: bhinneka.com Grade: F Certificate: 100 Protocol Support: 0 Key Exchange: 90 Cipher Strength: 90 BEAST: Non-mitigated
LivingSocial
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=livingsocial.co.id Domain: livingsocial.co.id Grade: B Certificate: 100 Protocol Support: 85 Key Exchange: 80 Cipher Strength: 90 BEAST: Non-mitigated Note: Does not support TLS 1.2
Disdus
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=disdus.com Domain: disdus.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Lazada
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=lazada.co.id Domain: lazada.co.id Grade: A Certificate: 100 Protocol Support: 85 Key Exchange: 90 Cipher Strength: 90 BEAST: Mitigated Note: Does not support TLS 1.2
Blibli
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=blibli.com Domain: blibli.com Grade: B Certificate: 100 Protocol Support: 90 Key Exchange: 90 Cipher Strength: 90 BEAST: Non-mitigated
Tiket
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tiket.com Domain: tiket.com Grade: A Certificate: 100 Protocol Support: 90 Key Exchange: 90 Cipher Strength: 90 BEAST: Mitigated
UPDATE 28 July 2013: Tiket.com now scores an A with 100/90/90/90 across the board.
Tiket2
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=tiket2.com Domain: tiket2.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Lion Air
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=secure2.lionair.co.id Domain: secure2.lionair.co.id Grade: C Certificate: 100 Protocol Support: 85 Key Exchange: 40 Cipher Strength: 60 BEAST: Mitigated
Garuda Indonesia
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=booking.garuda-indonesia.com Domain: booking.garuda-indonesia.com Grade: F Certificate: 100 Protocol Support: 87 Key Exchange: 0 Cipher Strength: 80 BEAST: Mitigated
Air Asia
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=airasia.com Domain: airasia.com Grade: C Certificate: 100 Protocol Support: 90 Key Exchange: 40 Cipher Strength: 60 BEAST: Non-mitigated
KlikBCA
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=ibank.klikbca.com Domain: ibank.klikbca.com Grade: A Certificate: 100 Protocol Support: 90 Key Exchange: 90 Cipher Strength: 90 BEAST: Mitigated
Bank Mandiri
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=ib.bankmandiri.co.id Domain: ib.bankmandiri.co.id Grade: A Certificate: 100 Protocol Support: 85 Key Exchange: 90 Cipher Strength: 90 BEAST: Mitigated Note: Does not support TLS 1.2
CIMB Clicks
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=www.cimbclicks.co.id Grade: A Domain: www.cimbclicks.co.id Certificate: 100 Protocol Support: 90 Key Exchange: 90 Cipher Strength: 90 BEAST: Mitigated
Veritrans
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=payments.veritrans.co.id Domain: payments.veritrans.co.id Grade: B Certificate: 100 Protocol Support: 90 Key Exchange: 90 Cipher Strength: 90 BEAST: Non-mitigated
iPaymu
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=my.ipaymu.com Domain: my.ipaymu.com Grade: B Certificate: 100 Protocol Support: 85 Key Exchange: 80 Cipher Strength: 90 BEAST: Non-mitigated Note: Checked the domain for iPaymu’s API transaction
Doku
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=doku.com Domain: doku.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
Finpay
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=portalfinpay.com Domain: portalfinpay.com Grade: SSL Certificate Mismatch Certificate: SSL Certificate Mismatch Protocol Support: SSL Certificate Mismatch Key Exchange: SSL Certificate Mismatch Cipher Strength: SSL Certificate Mismatch BEAST: SSL Certificate Mismatch
Midazz
SSLLabs Report: https://www.ssllabs.com/ssltest/analyze.html?d=midazz.com Domain: midazz.com Grade: No SSL Support Certificate: No SSL Support Protocol Support: No SSL Support Key Exchange: No SSL Support Cipher Strength: No SSL Support BEAST: No SSL Support
So as the results above says, it’s quite the risky business for E-Commerce consumers in Indonesia. Bhinneka ranking 58 according to Alexa.com scores an F. Tiket.com is using an older set of daemon/SSL Ciphers, they need to harden while Tiket2 needs to buy an SSL certificate. Other E-Commerce websites like TokoBagus, Disdus and Berniaga doesn’t even support SSL.
On the other hand, websites scoring an A were mostly banks which are KlikBCA, Bank Mandiri and CIMB. Applause for Lazada for also scoring an A.
What I found most disappointing were payment gateways except for Veritrans. Veritrans implements a rather secure API mimicking OAuth’s flow requiring all requests to be signed with a secret key, they also scored a B.
iPaymu was scoring a B but after going through their API Documentation, it was appalling to say the least. All of the requests to their API doesn’t need any public/private token pair, in fact just a plain token. Definitely needs more attention to their security practice.
For Doku and Finpay, I don’t know their API endpoints if any but a check to their root domain names yield disappointing results as well. Doku does not support SSL while Finpay has an SSL certificate mismatch. Not what you expected from a payment gateway. I’m out of -(superlatives) for these two. Midazz is pretty much exactly like Doku, they don’t understand the needs for SSL.
Airlines have the worst SSL audit of all the other websites. Lion Air and Air Asia got a C while Garuda Indonesia got an F! Airlines especially Garuda Indonesia needs to find better resources in securing their customer’s transactions on their websites. Totally unacceptable! How can you pay hundreds of millions of dollars on airplanes and fail miserably at this?
So there you go, Top Indonesia websites awareness for SSL.