search

isvsecwatch / httpstracker

Our main issue tracker for ISV security issues, such as the SSL/TLS configuration of their online stores.
3 stars 0 forks source link

schoolsunited.eu - dutch hosting platform for elementary schools #99

Closed isvsecwatch-report closed 7 years ago

isvsecwatch-report commented 8 years ago

SSL Server Labs Results https://www.ssllabs.com/ssltest/analyze.html?d=www.schoolsunited.nu (F) https://www.ssllabs.com/ssltest/analyze.html?d=www.schoolsunited.eu (F)

Cipherscan Results

Target: www.schoolsunited.nu:443

prio  ciphersuite                protocols                    pfs
1     RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
2     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                      DH,1024bits  None
3     DHE-RSA-AES256-SHA256      TLSv1.2                      DH,1024bits  None
4     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
5     DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
6     AES256-GCM-SHA384          TLSv1.2                      None         None
7     AES256-SHA256              TLSv1.2                      None         None
8     AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
9     CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
10    EDH-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
11    DES-CBC3-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
12    DHE-RSA-AES128-GCM-SHA256  TLSv1.2                      DH,1024bits  None
13    DHE-RSA-AES128-SHA256      TLSv1.2                      DH,1024bits  None
14    DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
15    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
16    AES128-GCM-SHA256          TLSv1.2                      None         None
17    AES128-SHA256              TLSv1.2                      None         None
18    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
19    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None

Certificate: untrusted, 1024 bits, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: server
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes
Target: www.schoolsunited.eu:443

prio  ciphersuite                protocols                    pfs
1     DHE-RSA-AES256-GCM-SHA384  TLSv1.2                      DH,1024bits  None
2     DHE-RSA-AES256-SHA256      TLSv1.2                      DH,1024bits  None
3     DHE-RSA-AES256-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
4     DHE-RSA-CAMELLIA256-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
5     AES256-GCM-SHA384          TLSv1.2                      None         None
6     AES256-SHA256              TLSv1.2                      None         None
7     AES256-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
8     CAMELLIA256-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
9     DHE-RSA-AES128-GCM-SHA256  TLSv1.2                      DH,1024bits  None
10    DHE-RSA-AES128-SHA256      TLSv1.2                      DH,1024bits  None
11    DHE-RSA-AES128-SHA         SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
12    DHE-RSA-SEED-SHA           SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
13    DHE-RSA-CAMELLIA128-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
14    AES128-GCM-SHA256          TLSv1.2                      None         None
15    AES128-SHA256              TLSv1.2                      None         None
16    AES128-SHA                 SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
17    SEED-SHA                   SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
18    CAMELLIA128-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
19    IDEA-CBC-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
20    RC4-SHA                    SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
21    RC4-MD5                    SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
22    EDH-RSA-DES-CBC3-SHA       SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
23    DES-CBC3-SHA               SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
24    EDH-RSA-DES-CBC-SHA        SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,1024bits  None
25    DES-CBC-SHA                SSLv3,TLSv1,TLSv1.1,TLSv1.2  None         None
26    EXP-EDH-RSA-DES-CBC-SHA    SSLv3,TLSv1,TLSv1.1,TLSv1.2  DH,512bits   None
27    EXP-DES-CBC-SHA            SSLv3,TLSv1,TLSv1.1,TLSv1.2  RSA,512bits  None
28    EXP-RC2-CBC-MD5            SSLv3,TLSv1,TLSv1.1,TLSv1.2  RSA,512bits  None
29    EXP-RC4-MD5                SSLv3,TLSv1,TLSv1.1,TLSv1.2  RSA,512bits  None

Certificate: untrusted, 2048 bits, sha1WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Cipher ordering: client
Curves ordering: none - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

Cipherscan Analysis

www.schoolsunited.nu:443 has bad ssl/tls

Things that are bad:
* remove cipher RC4-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* don't use a public key smaller than 2048 bits
* don't use an untrusted or self-signed certificate

Changes needed to match the old level:
* remove cipher RC4-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* consider enabling OCSP Stapling

Changes needed to match the intermediate level:
* remove cipher RC4-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* disable SSLv3
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling

Changes needed to match the modern level:
* remove cipher RC4-SHA
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher CAMELLIA128-SHA
* disable TLSv1
* disable SSLv3
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
www.schoolsunited.eu:443 has bad ssl/tls

Things that are bad:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* remove cipher EXP-EDH-RSA-DES-CBC-SHA
* remove cipher EXP-DES-CBC-SHA
* remove cipher EXP-RC2-CBC-MD5
* remove cipher EXP-RC4-MD5
* don't use an untrusted or self-signed certificate
* don't use DHE smaller than 1024bits or ECC smaller than 160bits

Changes needed to match the old level:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* remove cipher EXP-EDH-RSA-DES-CBC-SHA
* remove cipher EXP-DES-CBC-SHA
* remove cipher EXP-RC2-CBC-MD5
* remove cipher EXP-RC4-MD5
* use DHE of 1024bits and ECC of 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the intermediate level:
* remove cipher DHE-RSA-SEED-SHA
* remove cipher SEED-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* remove cipher EXP-EDH-RSA-DES-CBC-SHA
* remove cipher EXP-DES-CBC-SHA
* remove cipher EXP-RC2-CBC-MD5
* remove cipher EXP-RC4-MD5
* disable SSLv3
* consider using a SHA-256 certificate
* consider using DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering

Changes needed to match the modern level:
* remove cipher DHE-RSA-CAMELLIA256-SHA
* remove cipher AES256-GCM-SHA384
* remove cipher AES256-SHA256
* remove cipher AES256-SHA
* remove cipher CAMELLIA256-SHA
* remove cipher DHE-RSA-SEED-SHA
* remove cipher DHE-RSA-CAMELLIA128-SHA
* remove cipher AES128-GCM-SHA256
* remove cipher AES128-SHA256
* remove cipher AES128-SHA
* remove cipher SEED-SHA
* remove cipher CAMELLIA128-SHA
* remove cipher IDEA-CBC-SHA
* remove cipher RC4-SHA
* remove cipher RC4-MD5
* remove cipher EDH-RSA-DES-CBC3-SHA
* remove cipher DES-CBC3-SHA
* remove cipher EDH-RSA-DES-CBC-SHA
* remove cipher DES-CBC-SHA
* remove cipher EXP-EDH-RSA-DES-CBC-SHA
* remove cipher EXP-DES-CBC-SHA
* remove cipher EXP-RC2-CBC-MD5
* remove cipher EXP-RC4-MD5
* disable TLSv1
* disable SSLv3
* use a SHA-256 certificate
* use DHE of at least 2048bits and ECC of at least 256bits
* consider enabling OCSP Stapling
* enforce server side ordering
isvsecwatch-report commented 8 years ago

Logging this in case they pull a CloudFlare;

$ host www.schoolsunited.eu
www.schoolsunited.eu has address 37.247.39.160

$ host www.schoolsunited.nu
www.schoolsunited.nu has address 37.247.39.162
isvsecwatch-report commented 8 years ago

Notified via email; support@schoolsunited.eu, verkoop@schoolsunited.eu

isvsecwatch-report commented 8 years ago

No change.