Closed sindarina closed 8 years ago
The Cipherscan analysis is a bit off, really. I mean, this setup has only RC4 enabled. Sigh.
Notified via email; security@paypal.com, security@paypal-engineering.com, hostmaster@ebay.com (WHOIS). The 'security@paypal-engineering.com' address bounced.
Well, this is reassuring;
Hello ISV Security Watch,
We want to help you but we're not able to respond directly to emails
sent to this address.
If you have a question about your account, please contact us through our
website. Here's how:
1. Go to the PayPal website and log in to your account.
2. Click "Contact Us" at the bottom of any page.
3. Click "Contact Customer Service," and ask your question.
One of our Customer Service agents will reply to your question.
We value your business and want to provide you with the best customer
care.
Thanks,
PayPal
This email is sent to you by the contracting entity to your User
Agreement, either PayPal Inc, PayPal Pte. Ltd or PayPal (Europe) S.à
r.l. & Cie, S.C.A. Société en Commandite par Actions, Registered Office:
5th Floor 22-24 Boulevard Royal L-2449, Luxembourg RCS Luxembourg B 118
349.
The Paypal website only shows security reporting information if switched to US, which it doesn't do by default if you're not located there. Their bug bounty reporting program requires an eBay login to do anything. Le sigh.
Due to the changes in the SSL Server Test today, this now caps at 'C'.
They acknowledged the problem yesterday, though; https://twitter.com/PayPalSecurity/status/601097006187089920
No change.
No change, still RC4 only.
No change.
No change.
Poked on Twitter; https://twitter.com/sindarina/status/617263814887763968
Re-poked on Twitter; https://twitter.com/sindarina/status/621344695650754562
Updated, but not fixed properly; https://www.ssllabs.com/ssltest/analyze.html?d=paypal-engineering.com&s=173.0.94.99 (B)
Still preferring DHE over ECDHE, etcetera; https://twitter.com/isvsecwatch/status/653127954948583424
No change.
No change.
No change.
Poked on Twitter; https://twitter.com/isvsecwatch/status/693842889760231425
"Assessment failed: Unable to connect to the server"
It looks like the domain has disappeared from the web, only MX records remaining. Closing as unresolved.
SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=paypal-engineering.com (B)
Cipherscan Results
Cipherscan Analysis