paypal-engineering.com - website

[sindarina]

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=paypal-engineering.com (B)

Cipherscan Results

Target: paypal-engineering.com:443

prio  ciphersuite  protocols              pfs_keysize
1     RC4-SHA      TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering

Cipherscan Analysis

paypal-engineering.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* add cipher AES128-SHA
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* disable TLSv1
* consider enabling OCSP Stapling

[sindarina]

The Cipherscan analysis is a bit off, really. I mean, this setup has only RC4 enabled. Sigh.

[sindarina]

Poked on Twitter; https://twitter.com/sindarina/status/599259568875708417 https://twitter.com/isvsecwatch/status/599264832039362560

[sindarina]

Notified via email; security@paypal.com, security@paypal-engineering.com, hostmaster@ebay.com (WHOIS). The 'security@paypal-engineering.com' address bounced.

[sindarina]

Well, this is reassuring;

Hello ISV Security Watch,

We want to help you but we're not able to respond directly to emails 
sent to this address. 

If you have a question about your account, please contact us through our
website. Here's how:

1. Go to the PayPal website and log in to your account. 
2. Click "Contact Us" at the bottom of any page. 
3. Click "Contact Customer Service," and ask your question. 

One of our Customer Service agents will reply to your question. 

We value your business and want to provide you with the best customer 
care. 

Thanks, 

PayPal

This email is sent to you by the contracting entity to your User 
Agreement, either PayPal Inc, PayPal Pte. Ltd or PayPal (Europe) S.à 
r.l. & Cie, S.C.A. Société en Commandite par Actions, Registered Office:
5th Floor 22-24 Boulevard Royal L-2449, Luxembourg RCS Luxembourg B 118 
349.

[sindarina]

The Paypal website only shows security reporting information if switched to US, which it doesn't do by default if you're not located there. Their bug bounty reporting program requires an eBay login to do anything. Le sigh.

[sindarina]

Due to the changes in the SSL Server Test today, this now caps at 'C'.

[sindarina]

They acknowledged the problem yesterday, though; https://twitter.com/PayPalSecurity/status/601097006187089920

[sindarina]

No change.

[sindarina]

No change, still RC4 only.

[sindarina]

No change.

[sindarina]

No change.

[sindarina]

Poked on Twitter; https://twitter.com/sindarina/status/617263814887763968

[sindarina]

Re-poked on Twitter; https://twitter.com/sindarina/status/621344695650754562

[sindarina]

Updated, but not fixed properly; https://www.ssllabs.com/ssltest/analyze.html?d=paypal-engineering.com&s=173.0.94.99 (B)

[isvsecwatch-report]

Still preferring DHE over ECDHE, etcetera; https://twitter.com/isvsecwatch/status/653127954948583424

[isvsecwatch-report]

No change.

[isvsecwatch-report]

No change.

[isvsecwatch-report]

No change.

[isvsecwatch-report]

Poked on Twitter; https://twitter.com/isvsecwatch/status/693842889760231425

[isvsecwatch-report]

"Assessment failed: Unable to connect to the server"

[isvsecwatch-report]

It looks like the domain has disappeared from the web, only MX records remaining. Closing as unresolved.