search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

orders.codetwo.com - store site for software vendor #18

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=orders.codetwo.com (F)

Cipherscan Results

Target: orders.codetwo.com:443

prio  ciphersuite           protocols          pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     AES128-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
2     AES256-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
3     RC4-SHA               SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
4     DES-CBC3-SHA          SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
5     ECDHE-RSA-AES128-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
6     ECDHE-RSA-AES256-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
7     RC4-MD5               SSLv2,SSLv3,TLSv1  2048         sha256WithRSAEncryption  True     None         True
8     DES-CBC3-MD5          SSLv2              2048         sha256WithRSAEncryption  False    None         False

OCSP stapling: supported
Server side cipher ordering

Cipherscan Results (Analysis)

orders.codetwo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv2

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher RC4-SHA
* remove cipher DES-CBC3-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable TLSv1
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Verdict Another IIS with default settings, which means even SSLv2 is on. This was reported privately at the start of this year, acknowledged, but there has been no change. Why are Windows ISVs so often bad at this?

sindarina commented 9 years ago

Originally reported by potential customer on January 6th. Acknowledged, passed on to the 'web developer team', but no change. Reminded several times in the weeks after the original report, order cancelled because no action.

sindarina commented 9 years ago

Notified 'info@codetwo.com' (WHOIS contact) and 'security@codetwo.com'. The latter bounced.

sindarina commented 9 years ago

No response, no change.

orders.codetwo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv2
* don't use an untrusted or self-signed certificate

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher RC4-SHA
* remove cipher DES-CBC3-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable TLSv1
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change. Wonder if they'll update for the IIS vulnerability on time?

orders.codetwo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv2
* don't use an untrusted or self-signed certificate

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher RC4-SHA
* remove cipher DES-CBC3-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable TLSv1
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change. Poked on Twitter: https://twitter.com/isvsecwatch/status/595640445587333121

sindarina commented 9 years ago

It looks like they disabled RC4 without fixing anything else;

Cipherscan Results

Target: orders.codetwo.com:443

prio  ciphersuite           protocols    pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     AES128-SHA            TLSv1        2048         sha256WithRSAEncryption  True     None         True
2     AES256-SHA            TLSv1        2048         sha256WithRSAEncryption  True     None         True
3     DES-CBC3-SHA          SSLv3,TLSv1  2048         sha256WithRSAEncryption  True     None         True
4     ECDHE-RSA-AES128-SHA  TLSv1        2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
5     ECDHE-RSA-AES256-SHA  TLSv1        2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
6     DES-CBC3-MD5          SSLv2        2048         sha256WithRSAEncryption  False    None         False

OCSP stapling: supported
Server side cipher ordering

Cipherscan Analysis

orders.codetwo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher DES-CBC3-MD5
* disable SSLv2
* don't use an untrusted or self-signed certificate

Changes needed to match the intermediate level:
* remove cipher DES-CBC3-MD5
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher DES-CBC3-MD5
* disable TLSv1
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling
sindarina commented 9 years ago

It looks like they finally updated the configuration, and now get an 'A' on the SSL Server Test; https://www.ssllabs.com/ssltest/analyze.html?d=orders.codetwo.com

Cipherscan Results

Target: orders.codetwo.com:443

prio  ciphersuite              protocols              pfs_keysize
1     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-521,521bits
2     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits
3     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-521,521bits
4     ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-521,521bits
5     AES256-SHA256            TLSv1.2
6     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2
7     AES128-SHA256            TLSv1.2
8     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2
9     DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: supported
Server side cipher ordering

Cipherscan Analysis

orders.codetwo.com:443 has intermediate with bad ordering ssl/tls

Changes needed to match the intermediate level:
* increase priority of ECDHE-RSA-AES128-SHA256 over ECDHE-RSA-AES256-SHA
* increase priority of AES128-SHA256 over AES256-SHA
* fix ciphersuite ordering, use recommended intermediate ciphersuite

Changes needed to match the modern level:
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1

Cipher ordering is sufficient. Closing ticket.