search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

markmonitor.com - main website #14

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=markmonitor.com (B)

Cipherscan Results

Target: markmonitor.com:443

prio  ciphersuite             protocols  pfs_keysize
1     ECDHE-RSA-RC4-SHA       TLSv1      ECDH,P-256,256bits
2     RC4-SHA                 TLSv1
3     ECDHE-RSA-AES256-SHA    TLSv1      ECDH,P-256,256bits
4     AES256-SHA              TLSv1
5     CAMELLIA256-SHA         TLSv1
6     ECDHE-RSA-AES128-SHA    TLSv1      ECDH,P-256,256bits
7     ECDHE-RSA-DES-CBC3-SHA  TLSv1      ECDH,P-256,256bits
8     AES128-SHA              TLSv1
9     CAMELLIA128-SHA         TLSv1
10    DES-CBC3-SHA            TLSv1

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering

Cipherscan Results (Analysis)

markmonitor.com:443 has bad ssl/tls

Things that are bad:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* use a SHA-256 certificate
* consider enabling OCSP Stapling

Verdict For a company that claims to provide a 'hardened' portal for domain management and other brand-related tasks, this sure is disappointing. Smells like a textbook audited SSL setup, without a true understanding of the landscape, or active maintenance and evolution of the configuration over time.

sindarina commented 9 years ago

Originally tagged on Twitter on January 31st; https://twitter.com/sindarina/status/561563529908854784

sindarina commented 9 years ago

No change.

markmonitor.com:443 has bad ssl/tls

Things that are bad:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher ECDHE-RSA-RC4-SHA
* remove cipher RC4-SHA
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher ECDHE-RSA-DES-CBC3-SHA
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

Ohhh, lookie, they fixed it;

markmonitor.com:443 has intermediate ssl/tls

Changes needed to match the intermediate level:
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES256-GCM-SHA384
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* use a SHA-256 certificate
* consider enabling OCSP Stapling

Bit more room for improvement, such as replacing the SHA1 certificate, but this is quite acceptable.