DevHeads.net

Re: possible to reach hardenize's requirements?

Hello list,

I am the founder/developer of Hardenize. I was alerted to this thread by
one or two participants (thanks!) and I thought it would be a good idea to
join the list to respond. (I don't have an earlier email from the same
thread to respond to, but perhaps reusing the same subject may do the
trick.) I've read the entire thread and here are my thoughts:

- Wherever you're seeing unexpected results, the root cause is probably
some sort of server throttling of our connections. To discover all
supported TLS suites we need one connection per suite, and then we do that
for each protocol separately. If in doubt, whitelist outbound.hardenize.com and
try again.

- At present our report tries to be factual, without any recommendations
except for the obvious. As a rule of thumb, if the report card (left) shows
orange or red, that's because something is broken or clearly insecure. We
may show additional orange and red on the right, but we often do that to
call out some insecure elements. For example, TLS 1.0 as a protocol is weak
and we need to call it out as such, even if it's all right (or acceptable)
to use with SMTP.

- As a rule of thumb, I think it would be very difficult for a
commercially-viable operation to eliminate all the warnings.

- When it comes to SMTP and TLS, we think that servers should support
modern protocols (so TLS 1.2 or better) with forward secrecy. That's pretty
much it, except for some protocol elements that are so dangerous that could
be used to compromise other servers (e.g., HTTPS). We have different
(stricter) requirements when MTA-STS is enabled.

- Re DMARC, at this point I believe we factually report on whether DMARC is
supported, without endorsing a particular configuration. When we start to
recommend it, we will add more content to describe the caveats.

If you have specific objections and recommendations, I'd appreciate it if
you could open a ticket here
<a href="https://github.com/hardenize/hardenize-public/issues" title="https://github.com/hardenize/hardenize-public/issues">https://github.com/hardenize/hardenize-public/issues</a> and we'd be happy to
discuss and learn. Please have in mind that our report is by no means
complete today; we're on a journey and we have a pretty long to-do list
internally of things we wish to work on and improve.

Many thanks.