search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

sso.emc.com - single sign-on for EMC/RSA etc. #10

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=sso.emc.com (F)

Cipherscan Results

Target: sso.emc.com:443

prio  ciphersuite      protocols              pubkey_size  signature_algorithm    trusted  ticket_hint  ocsp_staple  pfs_keysize
1     AES256-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
2     DES-CBC3-SHA     TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
3     AES128-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
4     IDEA-CBC-SHA     TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
5     RC4-SHA          TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
6     RC4-MD5          TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
7     DES-CBC-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     7200         False
8     EXP-DES-CBC-SHA  TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     None         False        RSA,512bits
9     EXP-RC2-CBC-MD5  TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     None         False        RSA,512bits
10    EXP-RC4-MD5      TLSv1,TLSv1.1,TLSv1.2  2048         sha1WithRSAEncryption  True     None         False        RSA,512bits

OCSP stapling: not supported
Server side cipher ordering

Verdict This is the company behind RSA. You know, the RSA of the RSA you see in crypto everywhere. Rather disappointing, this. I figured that they, of all people, would be more on the ball with these things. I guess not, sigh.

sindarina commented 9 years ago

Tagged on Twitter, notified via 'security_alert@emc.com'.

sindarina commented 9 years ago

It looks like they did some work, and removed the export ciphers;

Target: sso.emc.com:443

prio  ciphersuite   protocols              pfs_keysize
1     AES256-SHA    TLSv1,TLSv1.1,TLSv1.2
2     DES-CBC3-SHA  TLSv1,TLSv1.1,TLSv1.2
3     AES128-SHA    TLSv1,TLSv1.1,TLSv1.2
4     IDEA-CBC-SHA  TLSv1,TLSv1.1,TLSv1.2
5     RC4-SHA       TLSv1,TLSv1.1,TLSv1.2
6     RC4-MD5       TLSv1,TLSv1.1,TLSv1.2
7     DES-CBC-SHA   TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 7200
OCSP stapling: not supported
Server side cipher ordering

Still RC4 though, IDEA? 56-bit DES? Meh. Oh well, a little bit of progress, removing a few labels.

sindarina commented 9 years ago

No change in the past week.

Cipherscan Results (Analysis)

sso.emc.com:443 has bad ssl/tls

Things that are bad:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA

Changes needed to match the intermediate level:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* disable TLSv1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

sso.emc.com:443 has bad ssl/tls

Things that are bad:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA

Changes needed to match the intermediate level:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* disable TLSv1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sso.emc.com:443 has bad ssl/tls

Things that are bad:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA

Changes needed to match the intermediate level:
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC-SHA
* disable TLSv1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

Unlikely to change anytime soon, in part due to it being Akamai SSL. Closing as unresolved for now.