search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

myproducts.drobo.com - login site for hardware vendor #8

Closed sindarina closed 9 years ago

sindarina commented 9 years ago

SSL Server Test Results https://www.ssllabs.com/ssltest/analyze.html?d=myproducts.drobo.com (B)

Cipherscan Results

Target: myproducts.drobo.com:443

prio  ciphersuite                protocols              pfs_keysize
1     RC4-SHA                    TLSv1,TLSv1.1,TLSv1.2
2     RC4-MD5                    TLSv1,TLSv1.1,TLSv1.2
3     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                DH,2048bits
4     DHE-RSA-AES256-SHA256      TLSv1.2                DH,2048bits
5     DHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
6     DHE-RSA-CAMELLIA256-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
7     AES256-GCM-SHA384          TLSv1.2
8     AES256-SHA256              TLSv1.2
9     AES256-SHA                 TLSv1,TLSv1.1,TLSv1.2
10    CAMELLIA256-SHA            TLSv1,TLSv1.1,TLSv1.2
11    DHE-RSA-AES128-GCM-SHA256  TLSv1.2                DH,2048bits
12    DHE-RSA-AES128-SHA256      TLSv1.2                DH,2048bits
13    DHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
14    DHE-RSA-CAMELLIA128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
15    EDH-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
16    AES128-GCM-SHA256          TLSv1.2
17    AES128-SHA256              TLSv1.2
18    AES128-SHA                 TLSv1,TLSv1.1,TLSv1.2
19    CAMELLIA128-SHA            TLSv1,TLSv1.1,TLSv1.2
20    DES-CBC3-SHA               TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering

Verdict Bad cipher ordering, RC4 preferred, no ECDHE ciphers despite support for TLSv1.2; not as big a mess as others, but definitely needs some work.

sindarina commented 9 years ago

Initially poked via Twitter, on January 22nd; https://twitter.com/sindarina/status/558272248680038401

No response.

sindarina commented 9 years ago

Notified via 'webteam@drobo.com'.

sindarina commented 9 years ago

No change;

Target: myproducts.drobo.com:443

prio  ciphersuite                protocols              pfs_keysize
1     RC4-SHA                    TLSv1,TLSv1.1,TLSv1.2
2     RC4-MD5                    TLSv1,TLSv1.1,TLSv1.2
3     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                DH,2048bits
4     DHE-RSA-AES256-SHA256      TLSv1.2                DH,2048bits
5     DHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
6     DHE-RSA-CAMELLIA256-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
7     AES256-GCM-SHA384          TLSv1.2
8     AES256-SHA256              TLSv1.2
9     AES256-SHA                 TLSv1,TLSv1.1,TLSv1.2
10    CAMELLIA256-SHA            TLSv1,TLSv1.1,TLSv1.2
11    DHE-RSA-AES128-GCM-SHA256  TLSv1.2                DH,2048bits
12    DHE-RSA-AES128-SHA256      TLSv1.2                DH,2048bits
13    DHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
14    DHE-RSA-CAMELLIA128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
15    EDH-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
16    AES128-GCM-SHA256          TLSv1.2
17    AES128-SHA256              TLSv1.2
18    AES128-SHA                 TLSv1,TLSv1.1,TLSv1.2
19    CAMELLIA128-SHA            TLSv1,TLSv1.1,TLSv1.2
20    DES-CBC3-SHA               TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering
sindarina commented 9 years ago

No change.

Cipherscan Analysis Results

myproducts.drobo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

myproducts.drobo.com:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher DES-CBC3-SHA
* disable TLSv1
* consider enabling OCSP Stapling
sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

No change.

Target: myproducts.drobo.com:443

prio  ciphersuite                protocols              pfs_keysize
1     RC4-SHA                    TLSv1,TLSv1.1,TLSv1.2
2     RC4-MD5                    TLSv1,TLSv1.1,TLSv1.2
3     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                DH,2048bits
4     DHE-RSA-AES256-SHA256      TLSv1.2                DH,2048bits
5     DHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
6     DHE-RSA-CAMELLIA256-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
7     AES256-GCM-SHA384          TLSv1.2
8     AES256-SHA256              TLSv1.2
9     AES256-SHA                 TLSv1,TLSv1.1,TLSv1.2
10    CAMELLIA256-SHA            TLSv1,TLSv1.1,TLSv1.2
11    DHE-RSA-AES128-GCM-SHA256  TLSv1.2                DH,2048bits
12    DHE-RSA-AES128-SHA256      TLSv1.2                DH,2048bits
13    DHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
14    DHE-RSA-CAMELLIA128-SHA    TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
15    EDH-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  DH,2048bits
16    AES128-GCM-SHA256          TLSv1.2
17    AES128-SHA256              TLSv1.2
18    AES128-SHA                 TLSv1,TLSv1.1,TLSv1.2
19    CAMELLIA128-SHA            TLSv1,TLSv1.1,TLSv1.2
20    DES-CBC3-SHA               TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering
sindarina commented 9 years ago

No change.

sindarina commented 9 years ago

As there has been no movement whatsoever on this ticket, I am marking it as unresolved, and closing it as such. Review later this year.