Group: netwin.surgemail
Subject: [SurgeMail List] securityheaders.io
Date: Thu, 13 Apr 2017 04:15:54 +0000

I just became aware of this new “security checking” site, and I see that our webmail doesn’t score so well:

https://securityheaders.io/?q=webmail.premieronline.net

Is there some low-hanging fruit that Netwin can add to improve the default webmail site’s security?

Frank


From: "Neil Herber (nospam)" <nospam@eton.ca>
Date: Thu, 13 Apr 2017 13:12:38 -0400

This is a multi-part message in MIME format.
--------------8801E09D374EA02D57329C32
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit

I am not an expert by any means, but I can see one problem: you are
serving the login page over http and not https. This potentially exposes
any of the form data to sniffing.

Compare to my site:

https:/secure.eton.ca/surgeweb

I am not sure I would agree with your "security checking site" either.
Qualys gives you an "A" SSL report:

https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net

AFAIK, Qualys ONLY checks an https connection.

Your server has both http and https open. My SurgeWeb server runs behind
an Apache proxy where I have set up a redirect to force http to https.
(Try http:/secure.eton.ca/surgeweb to see it switch.)

There should be SurgeMail settings that will force logins over https,
but NetWin can give you those. (My proxy setup means I don't need to use
or know them.)

Neil


On 2017-04-13 12:15 AM, Frank Bulk wrote:
>
> I just became aware of this new “security checking” site, and I see
> that our webmail doesn’t score so well:
>
> https://securityheaders.io/?q=webmail.premieronline.net
>
> Is there some low-hanging fruit that Netwin can add to improve the
> default webmail site’s security?
>
> Frank
>

-- 
Neil Herber


--------------8801E09D374EA02D57329C32
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I am not an expert by any means, but I can see one problem: you
      are serving the login page over http and not https. This
      potentially exposes any of the form data to sniffing.</p>
    <p>Compare to my site:</p>
    <p><a class="moz-txt-link-freetext" href="https:/secure.eton.ca/surgeweb">https:/secure.eton.ca/surgeweb</a></p>
    <p>I am not sure I would agree with your "security checking site"
      either. Qualys gives you an "A" SSL report:</p>
    <p><a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net">https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net</a></p>
    <p>AFAIK, Qualys ONLY checks an https connection.</p>
    <p>Your server has both http and https open. My SurgeWeb server runs
      behind an Apache proxy where I have set up a redirect to force
      http to https. (Try <a class="moz-txt-link-freetext" href="http:/secure.eton.ca/surgeweb">http:/secure.eton.ca/surgeweb</a> to see it
      switch.) <br>
    </p>
    <p>There should be SurgeMail settings that will force logins over
      https, but NetWin can give you those. (My proxy setup means I
      don't need to use or know them.)<br>
    </p>
    <p>Neil<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 2017-04-13 12:15 AM, Frank Bulk
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:8553324d3a784a2aa75e533b6e1d1188@mypremieronline.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle19
	{mso-style-type:personal-compose;}
..MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p>I just became aware of this new “security checking” site, and
          I see that our webmail doesn’t score so well:<o:p></o:p></p>
        <p><a
            href="https://securityheaders.io/?q=webmail.premieronline.net"
            moz-do-not-send="true">https://securityheaders.io/?q=webmail.premieronline.net</a>
          <o:p></o:p></p>
        <p>Is there some low-hanging fruit that Netwin can add to
          improve the default webmail site’s security?<o:p></o:p></p>
        <p>Frank<o:p></o:p></p>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
  </body>
</html>

--------------8801E09D374EA02D57329C32--


From: Surgemail Support (Marijn) <surgemail-support@netwinsite.com>
Date: Sat, 15 Apr 2017 01:47:19 -0500

This is a multi-part message in MIME format.

------=_SW_677798432_1492238839_mpa=
Content-Type: text/plain; charset=utf-8; format=flowed


Thanks for the report. I'm pretty sure we are currently not using any 
of those headers, we will investigate and tweak / add settings for as 
appropriate.

Marijn


On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwinsite.com 
wrote:
>
>
> I just became aware of this new “security checking” site, and I 
> see that our webmail doesn’t score so well:
> https://securityheaders.io/?q=webmail.premieronline.net
> Is there some low-hanging fruit that Netwin can add to improve the 
> default webmail site’s security?
> Frank


------=_SW_677798432_1492238839_mpa=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
 .sw_message P{margin:0px;padding:0px;}
 .sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
 .sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
 .sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
 .sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
 .sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class=3d"sw_message">
<div>Thanks for the report. I'm pretty sure we are currently not using any o=
f those headers, we will investigate and tweak / add settings for as appropr=
iate.</div><div><br></div><div>Marijn&nbsp;</div><div>&nbsp;</div><div id=3d=
"editor_signature"></div><div>On Thursday 13/04/2017 at 4:18 pm, surgemail-l=
ist@netwinsite.com wrote: </div><blockquote type=3d"cite"><style>}   =09{fon=
t-family:Calibri; =09panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */=
 .sw_message p.MsoNormal, .sw_message li.MsoNormal,  =09{margin:0in; =09marg=
in-bottom:.0001pt; =09font-size:11.0pt; =09font-family:"Calibri",sans-serif;=
} .sw_message a:link,  =09{mso-style-priority:99; =09color:blue; =09text-dec=
oration:underline;} .sw_message a:visited,  =09{mso-style-priority:99; =09co=
lor:purple; =09text-decoration:underline;} .sw_message p.msonormal0, .sw_mes=
sage li.msonormal0,  =09{mso-style-name:msonormal; =09mso-margin-top-alt:aut=
o; =09margin-right:0in; =09mso-margin-bottom-alt:auto; =09margin-left:0in; =
=09font-size:11.0pt; =09font-family:"Calibri",sans-serif;}   =09{mso-style-t=
ype:personal-compose;}   =09{mso-style-type:export-only; =09font-size:10.0pt=
;}   =09{size:8.5in 11.0in; =09margin:1.0in 1.0in 1.0in 1.0in;}   =09{page:W=
ordSection1;} --></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3d"edit" spidmax=3d"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3d"edit">
<o:idmap v:ext=3d"edit" data=3d"1" />
</o:shapelayout></xml><![endif]--><div><div class=3d"WordSection1"><p>I just=
 became aware of this new =e2=80=9csecurity checking=e2=80=9d site, and I se=
e that our webmail doesn=e2=80=99t score so well:<o:p></o:p></p><p><a target=
=3d"_blank" href=3d"https://securityheaders.io/?q=3dwebmail.premieronline.ne=
t">https://security<wbr>headers.io/?q=3dwebmail.premieronline.net</a><o:p></=
o:p></p><p>Is there some low-hanging fruit that Netwin can add to improve th=
e default webmail site=e2=80=99s security?<o:p></o:p></p><p>Frank<o:p></o:p>=
</p></div></div></blockquote><br> 
</body></html>

------=_SW_677798432_1492238839_mpa=--



From: Surgemail Support (Marijn) <surgemail-support@netwinsite.com>
Date: Thu, 20 Apr 2017 05:04:55 -0500

This is a multi-part message in MIME format.

------=_SW_1707679497_1492682695_mpa=
Content-Type: text/plain; charset=utf-8; format=flowed


What I believe to be the right selection of headers added for all of 
surgemail's web interfaces in surgemail version:  7.2j-19+
Made it as strict as I could while having existing interfaces continue 
to work

Rating is now much better according to this site (A instead of F):
      https://securityheaders.io/?q=netwinsite.com%3A7080%2Fsurgeweb

Personally I'm not convinced how much more security it actually 
provides... Also, it is possible some emails may no longer show some 
external content they used to show. Let us know if you find this is 
the case and it causes trouble for you. Also if you happen to be 
making use of services like google advertising or google analytics in 
surgeweb etc this may well be affected and need further tweaking of 
settings.

Let us know what platforms you need and I'll upload some builds 
tomorrow if you want to confirm this is working as expected for you.

Marijn


On Saturday 15/04/2017 at 6:47 pm, Surgemail Support (Marijn)  wrote:
>
>
> Thanks for the report. I'm pretty sure we are currently not using any 
> of those headers, we will investigate and tweak / add settings for as 
> appropriate.
>
> Marijn
>
>
> On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwinsite.com 
> wrote:
>>
>>
>> I just became aware of this new “security checking” site, and I 
>> see that our webmail doesn’t score so well:
>> https://securityheaders.io/?q=webmail.premieronline.net
>> Is there some low-hanging fruit that Netwin can add to improve the 
>> default webmail site’s security?
>> Frank
>


------=_SW_1707679497_1492682695_mpa=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
 .sw_message P{margin:0px;padding:0px;}
 .sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
 .sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
 .sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
 .sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
 .sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class=3d"sw_message">
<div>What I believe to be the right selection of headers added for all of su=
rgemail's web interfaces in surgemail version: &nbsp;<span style=3d"font-siz=
e: 12pt;">7.2j-19+&nbsp;</span></div><div>Made it as strict as I could while=
 having existing interfaces continue to work</div><div><br></div><div>Rating=
 is now much better according to this site (A instead of F):</div><div>&nbsp=
; &nbsp; &nbsp;&nbsp;https://securityheaders.io/?q=3dnetwinsite.com%3A7080%2=
Fsurgeweb</div><div><br></div><div>Personally I'm not convinced how much mor=
e security it actually provides... Also, it is possible some emails may no l=
onger show some external content they used to show. Let us know if you find =
this is the case and it causes trouble for you. Also if you happen to be mak=
ing use of services like google advertising or google analytics in surgeweb =
etc this may well be affected and need further tweaking of settings.&nbsp;</=
div><div><br></div><div>Let us know what platforms you need and I'll upload =
some builds tomorrow if you want to confirm this is working as expected for =
you.</div><div><br></div><div>Marijn &nbsp;</div><div>&nbsp;</div><div id=3d=
"editor_signature"></div><div>On Saturday 15/04/2017 at 6:47 pm, Surgemail S=
upport (Marijn)  wrote: </div><blockquote type=3d"cite"><div class=3d"sw_mes=
sage"><div>Thanks for the report. I'm pretty sure we are currently not using=
 any of those headers, we will investigate and tweak / add settings for as a=
ppropriate.</div><div><br></div><div>Marijn&nbsp;</div><div>&nbsp;</div><div=
 id=3d""></div><div>On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwin=
site.com wrote: </div><blockquote><style>.sw_message }   =09{font-family:Cal=
ibri; =09panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */       =09{m=
so-style-type:personal-compose;}   =09{mso-style-type:export-only; =09font-s=
ize:10.0pt;}   =09{size:8.5in 11.0in; =09margin:1.0in 1.0in 1.0in 1.0in;}   =
=09{page:WordSection1;} --></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3d"edit" spidmax=3d"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3d"edit">
<o:idmap v:ext=3d"edit" data=3d"1" />
</o:shapelayout></xml><![endif]--><div><div class=3d"WordSection1"><p>I just=
 became aware of this new =e2=80=9csecurity checking=e2=80=9d site, and I se=
e that our webmail doesn=e2=80=99t score so well:<o:p></o:p></p><p><a target=
=3d"_blank" href=3d"https://securityheaders.io/?q=3dwebmail.premieronline.ne=
t">https://security<wbr>headers.io/?q=3dwebmail.premieronline.net</a><o:p></=
o:p></p><p>Is there some low-hanging fruit that Netwin can add to improve th=
e default webmail site=e2=80=99s security?<o:p></o:p></p><p>Frank<o:p></o:p>=
</p></div></div></blockquote><br></div></blockquote><br> 
</body></html>

------=_SW_1707679497_1492682695_mpa=--