search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

financialdatafeed.platform.intuit.com - api backend #36

Closed sindarina closed 7 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=financialdatafeed.platform.intuit.com (B)

Cipherscan Results

Target: financialdatafeed.platform.intuit.com:443

prio  ciphersuite    protocols            pfs_keysize
1     RC4-SHA        SSLv3,TLSv1,TLSv1.2
2     AES128-SHA     SSLv3,TLSv1,TLSv1.2
3     AES256-SHA     SSLv3,TLSv1,TLSv1.2
4     DES-CBC3-SHA   SSLv3,TLSv1,TLSv1.2
5     AES128-SHA256  TLSv1.2
6     AES256-SHA256  TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

Cipherscan Analysis

financialdatafeed.platform.intuit.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* disable SSLv3
* consider enabling TLSv1.1
* consider using a SHA-256 certificate
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* disable TLSv1
* disable SSLv3
* consider enabling TLSv1.1
* use a SHA-256 certificate
* consider enabling OCSP Stapling
sindarina commented 9 years ago

Since this is an API applications talk to for financial data, it could really use some tuning, especially where ECDHE ciphers and Forward Secrecy is concerned.

Linking to #33, which refers to this site, as well as #34 and #35, since they should all be up for review.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

Due to today's SSL Server Test changes, this now caps at 'C'; https://www.ssllabs.com/ssltest/analyze.html?d=financialdatafeed.platform.intuit.com

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

A new RC4 attack, NOMORE, was released today; http://www.rc4nomore.com/

Please update your systems.

sindarina commented 9 years ago

Looks like they updated it some, but not necessarily in a good way;

Target: financialdatafeed.platform.intuit.com:443

prio  ciphersuite              protocols              pfs_keysize
1     AES256-SHA256            TLSv1.2
2     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2
3     AES128-SHA256            TLSv1.2
4     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2
5     DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2
6     RC4-SHA                  TLSv1,TLSv1.1,TLSv1.2
7     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
9     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-256,256bits
10    ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
11    ECDHE-RSA-DES-CBC3-SHA   TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

SSLv3 disabled, but still with a SHA1 certificate, RC4 active, and bad cipher ordering that disables the use of the ECDHE ciphers that are available.

isvsecwatch-report commented 9 years ago

No change.

isvsecwatch-report commented 9 years ago

No change, still flawed in terms of cipher selection and ordering.

isvsecwatch-report commented 9 years ago

Unlikely to have changed, see #33.

isvsecwatch-report commented 8 years ago

No change;

Target: financialdatafeed.platform.intuit.com:443

prio  ciphersuite              protocols              pfs                 curves
1     AES256-SHA256            TLSv1.2                None                None
2     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
3     AES128-SHA256            TLSv1.2                None                None
4     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  None                None
5     DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2  None                None
6     RC4-SHA                  TLSv1,TLSv1.1,TLSv1.2  None                None
7     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
8     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
9     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
10    ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
11    ECDHE-RSA-DES-CBC3-SHA   TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1

Certificate: trusted, 2048 bits, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
isvsecwatch-report commented 8 years ago

Updated some, but still not fixed.

isvsecwatch-report commented 8 years ago

No change.

isvsecwatch-report commented 8 years ago

No change.