Closed sindarina closed 8 years ago
Notified via email: nadmin@intuit.com (WHOIS), security@intuit.com
Google Chrome marks the SHA1 certificate as insecure, since it is valid beyond 2016.
Linking this to #34, because the logins on this one seem to be handled with that.
Issue #35 also needs to be reviewed.
The documentation on this site refers to #36, which could also use a bit of tuning.
No change.
Picked up by one of Intuit's Twitter accounts; https://twitter.com/QBCares/status/599318706083201024
Followed up on Twitter; https://twitter.com/isvsecwatch/status/601389913922281472
They wanted to know if this has been submitted on their 'Live Forum'; https://twitter.com/IntuitDev/status/601394212324515840
No link provided, most likely on the site this ticket is about, most likely requires registration to submit anything. That's not out-of-band, people :)
Is there no one at Intuit who actually understands modern transport encryption? It went from bad to a different kind of bad with some bad fixed; it's RC4 ONLY now.
Target: developer.intuit.com:443
prio ciphersuite protocols pfs_keysize
1 RC4-SHA TLSv1,TLSv1.2
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
Apparently they have reverted to the previous configuration, putting them back at a big red 'F'.
No change.
A new RC4 attack, NOMORE, was released today; http://www.rc4nomore.com/
Please update your systems.
No change.
Still no change, not even cipher order optimisation.
No change.
Poked on Twitter; https://twitter.com/isvsecwatch/status/653142048514658304
Updated at last, now scores a 'B' on the SSL Server Test; https://www.ssllabs.com/ssltest/analyze.html?d=developer.intuit.com (B)
Same cipher ordering problem as #35 and #36, however.
Once again lacks ECDHE;
Target: developer.intuit.com:443
prio ciphersuite protocols pfs
1 AES128-SHA TLSv1,TLSv1.2 None None
2 AES256-SHA TLSv1,TLSv1.2 None None
3 DES-CBC3-SHA TLSv1,TLSv1.2 None None
4 AES128-SHA256 TLSv1.2 None None
5 AES256-SHA256 TLSv1.2 None None
Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
And is vulnerable to TLS POODLE, again.
Apparently they have finally found a configuration that works with their load balancers, because they're not scoring an 'A-' on the SSL Server Test. Good enough for now, closing ticket.
SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=developer.intuit.com (F)
Cipherscan Results
Cipherscan Analysis