search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

developer.intuit.com - documentation site with login #33

Closed sindarina closed 8 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=developer.intuit.com (F)

Cipherscan Results

Target: developer.intuit.com:443

prio  ciphersuite    protocols      pfs_keysize
1     RC4-SHA        TLSv1,TLSv1.2
2     AES128-SHA     TLSv1,TLSv1.2
3     AES256-SHA     TLSv1,TLSv1.2
4     DES-CBC3-SHA   TLSv1,TLSv1.2
5     AES128-SHA256  TLSv1.2
6     AES256-SHA256  TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

Cipherscan Analysis

developer.intuit.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* consider enabling TLSv1.1
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* disable TLSv1
* consider enabling TLSv1.1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

Notified via email: nadmin@intuit.com (WHOIS), security@intuit.com

sindarina commented 9 years ago

Google Chrome marks the SHA1 certificate as insecure, since it is valid beyond 2016.

Google Chrome warning about SHA1 certificate

sindarina commented 9 years ago

Linking this to #34, because the logins on this one seem to be handled with that.

sindarina commented 9 years ago

Issue #35 also needs to be reviewed.

sindarina commented 9 years ago

The documentation on this site refers to #36, which could also use a bit of tuning.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

Picked up by one of Intuit's Twitter accounts; https://twitter.com/QBCares/status/599318706083201024

sindarina commented 9 years ago

Followed up on Twitter; https://twitter.com/isvsecwatch/status/601389913922281472

sindarina commented 9 years ago

They wanted to know if this has been submitted on their 'Live Forum'; https://twitter.com/IntuitDev/status/601394212324515840

No link provided, most likely on the site this ticket is about, most likely requires registration to submit anything. That's not out-of-band, people :)

sindarina commented 9 years ago

Is there no one at Intuit who actually understands modern transport encryption? It went from bad to a different kind of bad with some bad fixed; it's RC4 ONLY now.

Target: developer.intuit.com:443

prio  ciphersuite  protocols      pfs_keysize
1     RC4-SHA      TLSv1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
sindarina commented 9 years ago

Apparently they have reverted to the previous configuration, putting them back at a big red 'F'.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

A new RC4 attack, NOMORE, was released today; http://www.rc4nomore.com/

Please update your systems.

sindarina commented 9 years ago

No change.

isvsecwatch-report commented 9 years ago

Still no change, not even cipher order optimisation.

isvsecwatch-report commented 8 years ago

No change.

isvsecwatch-report commented 8 years ago

Poked on Twitter; https://twitter.com/isvsecwatch/status/653142048514658304

isvsecwatch-report commented 8 years ago

Updated at last, now scores a 'B' on the SSL Server Test; https://www.ssllabs.com/ssltest/analyze.html?d=developer.intuit.com (B)

Same cipher ordering problem as #35 and #36, however.

isvsecwatch-report commented 8 years ago

Once again lacks ECDHE;

Target: developer.intuit.com:443

prio  ciphersuite    protocols      pfs
1     AES128-SHA     TLSv1,TLSv1.2  None  None
2     AES256-SHA     TLSv1,TLSv1.2  None  None
3     DES-CBC3-SHA   TLSv1,TLSv1.2  None  None
4     AES128-SHA256  TLSv1.2        None  None
5     AES256-SHA256  TLSv1.2        None  None

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

And is vulnerable to TLS POODLE, again.

isvsecwatch-report commented 8 years ago

Apparently they have finally found a configuration that works with their load balancers, because they're not scoring an 'A-' on the SSL Server Test. Good enough for now, closing ticket.