search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

oneperiodic.com - mac software vendor #63

Closed isvsecwatch-report closed 8 years ago

isvsecwatch-report commented 8 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=oneperiodic.com (C)

isvsecwatch-report commented 8 years ago

Cipherscan Results

Target: oneperiodic.com:443

prio  ciphersuite              protocols    pfs
1     DHE-RSA-AES256-SHA       SSLv3,TLSv1  DH,1024bits  None
2     DHE-RSA-CAMELLIA256-SHA  SSLv3,TLSv1  DH,1024bits  None
3     AES256-SHA               SSLv3,TLSv1  None         None
4     CAMELLIA256-SHA          SSLv3,TLSv1  None         None
5     DHE-RSA-AES128-SHA       SSLv3,TLSv1  DH,1024bits  None
6     DHE-RSA-SEED-SHA         SSLv3,TLSv1  DH,1024bits  None
7     DHE-RSA-CAMELLIA128-SHA  SSLv3,TLSv1  DH,1024bits  None
8     AES128-SHA               SSLv3,TLSv1  None         None
9     SEED-SHA                 SSLv3,TLSv1  None         None
10    CAMELLIA128-SHA          SSLv3,TLSv1  None         None
11    RC4-SHA                  SSLv3,TLSv1  None         None
12    RC4-MD5                  SSLv3,TLSv1  None         None
13    EDH-RSA-DES-CBC3-SHA     SSLv3,TLSv1  DH,1024bits  None
14    DES-CBC3-SHA             SSLv3,TLSv1  None         None
15    EDH-RSA-DES-CBC-SHA      SSLv3,TLSv1  DH,1024bits  None
16    DES-CBC-SHA              SSLv3,TLSv1  None         None

Certificate: trusted, 2048 bits, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE

TLS Tolerance: no
Fallbacks required:
big-SSLv3 no fallback req, connected: SSLv3 DHE-RSA-AES256-SHA
big-TLSv1.0 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.1 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA
big-TLSv1.2 no fallback req, connected: TLSv1 DHE-RSA-AES256-SHA

Cipherscan Analysis

oneperiodic.com:443 has bad ssl/tls

Things that are bad:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA

Changes needed to match the intermediate level:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable SSLv3
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-SEED-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-SHA
* remove cipher SEED-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* disable TLSv1
* disable SSLv3
* consider enabling TLSv1.1
* consider enabling TLSv1.2
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
isvsecwatch-report commented 8 years ago

No change. Notified via email; info@oneperiodic.com

isvsecwatch-report commented 8 years ago

No change. Re-notified via email; info@oneperiodic.com

isvsecwatch-report commented 8 years ago

No change.

isvsecwatch-report commented 8 years ago

No change. Closing as unresolved.