Recently, Mark Stanislav gave a talk on holistic authentication security for companies who have implemented two-factor authentication. He developed a scoring system, MASSACRE, which quantifies the presence of several different security features on a web site; cookie flags, response headers, etc.. This inspired me to see if I could get our Jasig CAS server with Duo 2FA to the top of the charts. As you might know, CAS runs on Apache Tomcat, which leaves a system administrator little room for configuration of these features. Enter HAProxy.
Mark broke the scoring down into 4 categories; SSL Implementation, Security Page, Browser Security Features, and Two Factor. I’ll start with the low hanging fruit.
First, does your company have at least on page which explains its security posture? We have plenty of those so add 5 more points.
Next, enable two-factor authentication. In the past I have outlined the steps I took to get CAS working with Duo, so follow those and add 15 points to your scorecard.
The next category is SSL implementation. 15 points are available for a score of B- or higher on Qualys’ SSLLabs analyzer. It is possible to configure Tomcat to get to that range, but why not just add the following line to your HTTPS-in stanza in HAProxy.
bind *:443 ssl crt /etc/haproxy/raw.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:!NULL:!aNULL:!RC4:!RC2:!MEDIUM:!LOW:!EXPORT:!DES:!MD5:!PSK:!3DES no-sslv3
Assuming that you have a modern version of OpenSSL installed this should do the trick. Add 15 more points. That brings us to 35.
We can score 20 points automatically since HTTPOnly and Secure are both set by default in the session cookie for CAS. Running total: 55.
Lastly, let’s add the HTTP response headers that Mark and OWASP recommend. In the HTTPS-in section add the following lines:
rspadd Strict-Transport-Security:\ max-age=31536000; rspadd X-Frame-Options:\ DENY rspadd X-XSS-Protection:\ 1;\ mode=block rspadd X-Content-Type-Options:\ nosniff
This brings us to 85/100 points.
Unfortunately, I was not able to add the Content-Security-Policy header without including ‘unsafe-inline’ (which kind of defeats the purpose). The implementation of CAS I am running requires inline <script> tags in order to function. Until those are removed I am capped at 85. Still not bad.