ShadowTrackr

Log in >
RSS feed

New: JARM hashes, and some phishy stuff

17 January 2021
There are some major updates to the phishy url detection under way. You’ll have to be patient for the full details because it’s not all ready for production yet. Some stuff has already made it through as you can see on the phishy url report page. ShadowTrackr now has better tracking of whois, certificate and ISP data for your phishy urls.

I also plan to use JARM hashes for better profiling of your existing servers against possible phishy servers. JARM hashes are already found on the phishy url page and on all your existing webpages. You can click on the hashes to pivot and find related infrastructure.

Dark mode support

31 December 2020
It’s that time of the year with darkness in the Northern hemisphere. We’re just past the shortest day of the year and I should have mentioned this 3 weeks earlier, but … ShadowTrackr now has dark mode!

Most development time in the busy December month was spent fixing bugs and writing tests, and the white background really started to hurt my eyes in the evenings. So while it sounds like a cool extra, it really was a necessary feature.

You can find dark mode under Settings > My profile > User interface settings

Website grades have changed

22 November 2020
Just like your certificates, your website have a security score too. This has been available in ShadowTrackr for a while, but wasn’t actively used or included in reports or graphs. Since most clients had quite a lot of bad grades, I wasn’t really sure how we should handle this.

No pain, no gain though. Since the goal is to improve your security, at some point these bad grades had to make an entry. That just happened, and quite a few of you will see extra red dots appear on your graphs and under reports.

We’ll start slowly with marking every website graded ‘F’ as a problem. Anything between A and F will be a warning for now (but note that we’ll get stricter at some point in the future). The grades are based on the Mozilla Observatory scores.

So, what do you do now? Work on improving your website security of course! For some quick fixes to get you out of the red, set these HTTP headers in your webserver:

X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains

If you want even better scores, read up on Content-Security-Policy and Subresource-Integrity.
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy