Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > Tinfoil Security


Tinfoil Security




Posted by Ash, 09-27-2012, 07:27 AM
Anybody else come across this? I think it's one to keep an eye on, and potentially a big selling point for providers if the integration and reporting to individual clients etc. can be done without too much headache. https://www.tinfoilsecurity.com See 'Take a Tour', the UI looks a little Cloudflare like, and I'd not be surprised to see 'Cloudflare & Tinfoil' as offers headers on here eventually .. if they can nail the pricing plans, keep the overhead low etc.
Posted by eth00, 09-27-2012, 10:34 AM
Interesting product, definitely something to watch and see how it pans out.
Posted by HostMantis, 09-27-2012, 10:53 AM
That may be the most important factor. Price. For an average user, $49/mo is a little steep.
Posted by TravisT-[SSS], 09-27-2012, 10:56 AM
Agreed. Most users run around trying to start web hosting for pennies(literally) that they don't even want to invest in other services like having their servers secured even when their billing system is hacked(no joke). But honestly, a well secured server with a mod_sec ruleset really won't need this at all so it's more of an individual user/website service.
Posted by Ash, 09-27-2012, 11:23 AM
I don't see it so much as a security benefit for the provider. If anything I see it as a way to reduce support load. If you can implement this and it's reporting potential SQLi/XSS issues etc directly to clients, they have the info they need to take action before needing to raise that 'help, my site was hacked' ticket. Plus you've got the value add element. If it can report vulnerable Wordpress plugins for example, that's got to be a winner right? As for pricing, I might be wrong, but the $59/mo plan for example appears to be for 250 individual domains .. So bring that down some more with a cost model for hosts/partners and the cost per client domain per month could be justified. *edit - ok, it's 250 domains but one user, so that's the bit that would need to change to make it viable. Last edited by Ash; 09-27-2012 at 11:29 AM.
Posted by BestServerSupport, 09-27-2012, 11:51 AM
It seems that it is more important for individual users to get alerts for website vulnerabilities. Considering individual users factor, the price should be bit low.
Posted by iwebadmin, 09-27-2012, 09:19 PM
hah. I was worried there for a sec and cancelled the scan.. Look like tinfoil found a type of xss exploit on the Whmcs contact form. My email box was starting to get flooded Good to know..
Posted by iwebadmin, 09-27-2012, 09:23 PM
wow.. its not stopping. Definitley dont test this on a production site.
Posted by ainsleyb, 09-28-2012, 12:51 AM
Sorry you're having this issue. We recommend (on our homepage) that every external form have a CAPTCHA on it; unfortunately, if we can spam it, anyone else can too. With that said, this is definitely an issue and we'll be looking into how to detect contact forms (and similar) in the future so as to flag it, inform our customer, and avoid spamming. As soon as a scan is cancelled via out interface, it is stopped and no more requests to your website (and thus, your forms) are sent. Unfortunately, many mail servers and providers buffer the sending of email, and so you may receive email even after the scan is cancelled. We are not sending any more requests and the email should stop as soon as your mail server's buffers empty. All of our form submissions have the word 'tinfoil' in them, so you can filter on the word 'tinfoil' without the quotes. That should make it easier to simply catch all of the automated messages and remove them in a batch. If you continue having issues, or run into any other troubles at all, please feel free to email us at support@tinfoilsecurity.com and I will personally take a look into your account and issues. Hope that helps, and would love any more feedback you might have. -- Ainsley K. Braun Co-founder & CEO Tinfoil Security, Inc.
Posted by iwebadmin, 09-28-2012, 06:54 AM
Hey, thanks for the reply. No biggy, it just caught me off by surprise. Understandable too about the mail that was buffered into the queue waiting to be sent.
Posted by AcheronMedia-VK, 09-28-2012, 07:04 AM
I tried it too and DoS-ed my contact form (mailserver fail2banned my own app server, lol) Entirely my own fault, of course, should have protected it with captcha. But this tool actually pointed that out. Neat.
Posted by Ash, 09-29-2012, 03:03 AM
Welcome to WHT Ainsley I ran your tool against a site with around 25,000 pages, and it just completed after two days. Might be something to consider if people are setting the frequency to daily. There are particular reports that for some reason you cannot 'dismiss' for example, Private IP address disclosure. The Dismiss button just isn't there. Also, a very minor thing, but a little annoying. When logged in I can't actually view with main site, it just defaults me to /sites I'm going to keep playing, so will probably have some more complex issues to report. Forgive me now if I break something
Posted by ainsleyb, 09-29-2012, 03:57 AM
Thanks for the welcome! Our servers are a little overloaded right now which is why the scans are taking a little longer to complete - we're working on fixing this - the launch press got us a little wound up. Good point on the Private IP Address not being dismissable - we don't allow you to dismiss particular issues that are high severity, for example, because they should be fixed, not dismissed. I'll make sure we fix that certain one though. While logged in we want you viewing your dashboard - would you like a way to view the external site? We can potentially work on that. Please keep playing, and keep the feedback coming. It's the only way we can make it better. -- Ainsley K. Braun Co-founder & CEO Tinfoil Security, Inc.
Posted by ainsleyb, 09-29-2012, 04:13 AM
We're working on a way to detect the contact form issue and flag it as a vulnerability without actually spamming it - not an easy problem, but definitely one we're looking forward to fixing. -- Ainsley K. Braun Co-founder & CEO Tinfoil Security, Inc.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Recommendations on Flash or Java Video Recording Software (Views: 693)
How would I stop custom php.ini with SuPHP? (Views: 745)
Host in eu (Views: 706)
Does ddos attack lighthttpd ? (Views: 699)
Hacked at Eleven2 (Views: 735)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.