search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

api.intuit.com - backend api #35

Closed sindarina closed 7 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=api.intuit.com (B)

Cipherscan Results

Target: api.intuit.com:443

prio  ciphersuite    protocols      pfs_keysize
1     RC4-SHA        TLSv1,TLSv1.2
2     AES128-SHA     TLSv1,TLSv1.2
3     AES256-SHA     TLSv1,TLSv1.2
4     DES-CBC3-SHA   TLSv1,TLSv1.2
5     AES128-SHA256  TLSv1.2
6     AES256-SHA256  TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

Cipherscan Analysis

api.intuit.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* consider enabling TLSv1.1
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* disable TLSv1
* consider enabling TLSv1.1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

Linking this to #33 and #34, as vendor has already been notified for that.

sindarina commented 9 years ago

Possibly related to #36.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

Due to today's SSL Server Test changes, this now caps at 'C'; https://www.ssllabs.com/ssltest/analyze.html?d=api.intuit.com

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

A new RC4 attack, NOMORE, was released today; http://www.rc4nomore.com/

Please update your systems.

sindarina commented 9 years ago

Same change, and same problems as #36.

isvsecwatch-report commented 9 years ago

No change.

isvsecwatch-report commented 8 years ago

Still unchanged.

isvsecwatch-report commented 8 years ago

Unlikely to have changed, see #33.

isvsecwatch-report commented 8 years ago

They dropped RC4, at last;

Target: api.intuit.com:443

prio  ciphersuite              protocols              pfs                 curves
1     AES256-SHA256            TLSv1.2                None                None
2     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
3     AES128-SHA256            TLSv1.2                None                None
4     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
5     DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2  None                None
6     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
7     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
8     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
9     ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
10    ECDHE-RSA-DES-CBC3-SHA   TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Apparently no other changes.

isvsecwatch-report commented 8 years ago

Removed the SHA1 certificate, but still not fixed in terms of cipher ordering.

isvsecwatch-report commented 8 years ago

No change.

isvsecwatch-report commented 8 years ago

No change.