store.diditbetter.com - order/ecommerce website

[sindarina]

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=store.diditbetter.com (F)

Cipherscan Results

Target: store.diditbetter.com:443

prio  ciphersuite           protocols          pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     AES128-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
2     AES256-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
3     RC4-SHA               SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
4     DES-CBC3-SHA          SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
5     ECDHE-RSA-AES128-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
6     ECDHE-RSA-AES256-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
7     RC4-MD5               SSLv2,SSLv3,TLSv1  2048         sha256WithRSAEncryption  True     None         True
8     DES-CBC3-MD5          SSLv2              2048         sha256WithRSAEncryption  False    None         False

OCSP stapling: supported
Server side cipher ordering

Cipherscan Analysis

store.diditbetter.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv2

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher AES128-SHA
* remove cipher AES256-SHA
* remove cipher RC4-SHA
* remove cipher DES-CBC3-SHA
* remove cipher RC4-MD5
* remove cipher DES-CBC3-MD5
* disable TLSv1
* disable SSLv3
* disable SSLv2
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider enabling OCSP Stapling

[sindarina]

Notified via email: info@diditbetter.com

[sindarina]

Poked on Twitter: https://twitter.com/isvsecwatch/status/595336965270155265

[sindarina]

Most likely a box with IIS default settings, which aren't very secure. Suggestions for improvement here; https://github.com/isvsecwatch/httpstracker/blob/master/server-tips-iis.md

[sindarina]

No change.

[sindarina]

No change. Re-notified via email; info@diditbetter.com

[sindarina]

No change.

[sindarina]

No change.

[sindarina]

No change, still broken.

[sindarina]

A new RC4 attack, NOMORE, was released today; http://www.rc4nomore.com/

Please update your systems.

[sindarina]

No change, still a big red F.

Target: store.diditbetter.com:443

prio  ciphersuite           protocols          pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     AES128-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
2     AES256-SHA            TLSv1              2048         sha256WithRSAEncryption  True     None         True
3     RC4-SHA               SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
4     DES-CBC3-SHA          SSLv3,TLSv1        2048         sha256WithRSAEncryption  True     None         True
5     ECDHE-RSA-AES128-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
6     ECDHE-RSA-AES256-SHA  TLSv1              2048         sha256WithRSAEncryption  True     None         True         ECDH,P-256,256bits
7     RC4-MD5               SSLv2,SSLv3,TLSv1  2048         sha256WithRSAEncryption  True     None         True
8     DES-CBC3-MD5          SSLv2              2048         sha256WithRSAEncryption  False    None         False

OCSP stapling: supported
Server side cipher ordering

[isvsecwatch-report]

Unchanged, completely unresponsive. Closing as unresolved.