SERP Hacker support forum - serposcope

Support forum for open-source softwares built by serphacker.com : serposcope the rank checker.

You are not logged in.

#1 2016-02-13 10:17:18

Retep
Member
Registered: 2015-06-21
Posts: 6

How safe is to connect Serposcopy permantly to the internet

I'm using Serposcopy behind a router and therefore it's not reachable for hackers, script-kiddys  but also clients can't reach it.
What about safety-issues for Serposcope? Okay not connected to the internet is always safer then connecting it to the internet but is it what's the risc of connecting Serp to the internet.
Java is always mentioned as (very) risky can you suplly me whit ifno how to hardeb SERPO

Offline

#2 2016-02-14 16:10:47

serphacker
Administrator
Registered: 2014-06-13
Posts: 411

Re: How safe is to connect Serposcopy permantly to the internet

Hi,

TLDR: Serposcope is not insecure because of Java. I have more than 10 years of experience in IT security and serposcope use the best practice. Be sure to set a good password and always upgrade to the last version when available.

Long version:

I understand your concerns and it is a very good question.

Java has a very bad reputation because of the so many vulnerabilities affecting the "Java browser plugins". The number of vulnerabilities affecting it is so huge that most of the browsers aren't supporting it anymore (or won't). And even Oracle (the editor of Java) is going to put an end to the Java browser plugin, so it's going to disappear and it's a good thing.

But, the Java language and the Java browser plugin are two different things, and serposcope doesn't use the plugin. It is just a web application coded in Java (like it could have been done in PHP, ruby, python...). So your browser is interpreting HTML & JavaScript, just like browsing a normal website.

The Java language is not less secure than others languages (it's even more secure than language like C/C++ and a lot more than PHP). The security of an application rely on the developers and the libraries he uses. I have more than 5 years of experience in professional pentesting (my company) and more than 10 years in hacking and security so I take security very seriously when I build an application.

Serposcope use most of the security best practice, it is extremely unlikely a critical vulnerability like SQL injection, authentication bypass, remote code execution or insecure file access is going to affect serposcope a day.

However, nobody can guarantee 100% security. For example, a security vulnerability could affect an external library serposcope uses. But, the best practice I did set restrict a lot the impact of those eventual issues. Furthermore I actively monitor all the libraries I use so be sure there will be an update immediately if it was going to happen.

How to harden security ?

_ Be sure you did set a good password.
_ Always upgrade to the latest version.
_ If you still don't trust serposcope, you can set it behind a reverse proxy (like nginx or apache) and add an additionnal authentification layer, kind of ".htaccess" authentification. That's what I'm doing, not because I don't trust my own code, but because I take security very seriously :)

Offline

Board footer