sindarina
commented
9 years ago Notified via email: domains@serif.com (WHOIS)
Closed sindarina closed 9 years ago
sindarina
commented
9 years ago Notified via email: domains@serif.com (WHOIS)
sindarina
commented
9 years ago Tagged on Twitter: https://twitter.com/isvsecwatch/status/594507166645624832
sindarina
commented
9 years ago Major issues fixed; https://twitter.com/MacAffinity/status/595610089492451328
Cipherscan Results
Target: affinity.serif.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
4 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
5 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
6 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
7 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
8 AES128-GCM-SHA256 TLSv1.2
9 AES128-SHA256 TLSv1.2
10 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
11 AES256-GCM-SHA384 TLSv1.2
12 AES256-SHA256 TLSv1.2
13 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
14 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher orderingCipherscan Analysis
affinity.serif.com:443 has intermediate with bad ordering ssl/tls
Changes needed to match the intermediate level:
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* increase priority of ECDHE-RSA-AES256-GCM-SHA384 over DHE-RSA-AES128-SHA
* increase priority of AES256-GCM-SHA384 over AES128-SHA
* fix ciphersuite ordering, use recommended intermediate ciphersuite
Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP StaplingNew certificate deployed, chain issue solved; https://twitter.com/MacAffinity/status/595874701882368002
sindarina
commented
9 years ago Because the DH issue is still unresolved, but not a big problem, I am closing this as unresolved for later review.
sindarina
commented
9 years ago In light of the details of the Logjam attack (https://weakdh.org/), we are upgrading 1024-bit DH keys to a red level issue that should be resolved, as that key size puts it within reach of state-level adversaries and is no longer considered safe.
See https://github.com/isvsecwatch/httpstracker#a-note-on-dhdhe for details.
sindarina
commented
9 years ago Due to recent changes in the SSL Server Test, this now caps at 'B'; https://www.ssllabs.com/ssltest/analyze.html?d=affinity.serif.com
sindarina
commented
9 years ago No change.
sindarina
commented
9 years ago No change.
sindarina
commented
9 years ago No change.
sindarina
commented
9 years ago Still has a 1024-bit DH key.
sindarina
commented
9 years ago Poked on Twitter; https://twitter.com/isvsecwatch/status/621359926615666688
sindarina
commented
9 years ago Still some cipher ordering issues flagged, but they are minor;
affinity.serif.com:443 has intermediate with bad ordering ssl/tls
Changes needed to match the intermediate level:
* consider enabling OCSP Stapling
* increase priority of ECDHE-RSA-AES256-GCM-SHA384 over ECDHE-RSA-AES128-SHA
* increase priority of AES256-GCM-SHA384 over AES128-SHA
* fix ciphersuite ordering, use recommended intermediate ciphersuite
Changes needed to match the modern level:
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* consider enabling OCSP StaplingClosing as resolved.
SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=affinity.serif.com (C)
Cipherscan Results
Cipherscan Analysis