paysolution.directpos.de - payment gateway service

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.

3 stars 0 forks source link

paysolution.directpos.de - payment gateway service #4

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=paysolution.directpos.de

Cipherscan Results

Target: paysolution.directpos.de:443

prio  ciphersuite    protocols                    pfs_keysize
1     RC4-SHA        SSLv3,TLSv1,TLSv1.1,TLSv1.2
2     AES128-SHA     SSLv3,TLSv1,TLSv1.1,TLSv1.2
3     AES256-SHA     SSLv3,TLSv1,TLSv1.1,TLSv1.2
4     DES-CBC3-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2
5     AES128-SHA256  TLSv1.2
6     AES256-SHA256  TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

Verdict SSLv3 still on, RC4 preferred, even though the server supports TLSv1.2. Looks, sounds and smells like something that needs some serious maintenance to get up-to-date, especially considering that this is a payment processing service that is usually used in the background, without direct interaction with customers.

sindarina commented 9 years ago

Privately reported to 'info@voeb-zvd.de' on Feb 4th, no response. Also reported to a software vendor that uses it for their payment processing.

sindarina commented 9 years ago

No change;

Target: paysolution.directpos.de:443

prio  ciphersuite    protocols                    pfs_keysize
1     RC4-SHA        SSLv3,TLSv1,TLSv1.1,TLSv1.2
2     AES128-SHA     SSLv3,TLSv1,TLSv1.1,TLSv1.2
3     AES256-SHA     SSLv3,TLSv1,TLSv1.1,TLSv1.2
4     DES-CBC3-SHA   SSLv3,TLSv1,TLSv1.1,TLSv1.2
5     AES128-SHA256  TLSv1.2
6     AES256-SHA256  TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

sindarina commented 9 years ago

No change.

Cipherscan Analysis Results

paysolution.directpos.de:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* disable SSLv3
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher DES-CBC3-SHA
* remove cipher AES128-SHA256
* remove cipher AES256-SHA256
* disable TLSv1
* disable SSLv3
* consider enabling OCSP Stapling

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

Unlikely to be resolved anytime soon, closing as unresolved for now.

sindarina commented 9 years ago

Still unresolved; https://www.ssllabs.com/ssltest/analyze.html?d=paysolution.directpos.de (C)