search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

ipredict.co.nz - main website #47

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=ipredict.co.nz (F)

Cipherscan Results

Target: ipredict.co.nz:443

prio  ciphersuite                protocols                    pfs_keysize
1     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                      DH,1024bits
2     DHE-RSA-AES256-SHA256      TLSv1.2                      DH,1024bits
3     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
4     DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
5     AES256-GCM-SHA384          TLSv1.2
6     AES256-SHA256              TLSv1.2
7     AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
8     CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
9     DHE-RSA-AES128-GCM-SHA256  TLSv1.2                      DH,1024bits
10    DHE-RSA-AES128-SHA256      TLSv1.2                      DH,1024bits
11    DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
12    DHE-RSA-SEED-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
13    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
14    AES128-GCM-SHA256          TLSv1.2
15    AES128-SHA256              TLSv1.2
16    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2
17    SEED-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2
18    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2
19    RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
20    RC4-MD5                    SSLv3,TLSv1,TLSv1.1,TLSv1.2
21    EDH-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
22    DES-CBC3-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2
23    EDH-RSA-DES-CBC-SHA        SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
24    DES-CBC-SHA                SSLv3,TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Client side cipher ordering

Cipherscan Analysis

ipredict.co.nz:443 has bad ssl/tls

Things that are bad:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA

Changes needed to match the intermediate level:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable SSLv3
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-SEED-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher SEED-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable TLSv1
* disable SSLv3
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
sindarina commented 9 years ago

Originally reported privately by a third party, but still unfixed after several months. Reported via email to the relevant WHOIS contacts; viclink@viclink.co.nz, its-operations@lists.vuw.ac.nz

isvsecwatch-report commented 9 years ago

Poked via Twitter; https://twitter.com/isvsecwatch/status/638933346983280640

isvsecwatch-report commented 9 years ago

Updated to an 'A' rating, but still has the SHA1 certificate, the chain issue, and several other issues that are flagged and should be looked at.

isvsecwatch-report commented 9 years ago

Certificate has been reissued, good enough. Closing ticket.