inconsistent testing results against ROBOT attack

[gfsk]

Hi,

We used both the DEV and PROD version of SSL LAB to verify against the ROBOT attack, however we are getting some inconsistent results. For the sites we tested, the reports are identical (i.e., both sites have identical cipher suite including the weak RSA ones), but one of them is flagged as vulnerable and the other is fine.)

Thanks, Kun

[gfsk]

I can provide the site links via email, if you can provide me with an email address please.

Also forgot to mention that, all sites are not shown as vulnerable on the DEV version.

Thanks, Kun

[bhushan5640]

Please send inbox message here https://community.qualys.com/people/blokhande Or https://twitter.com/BhushanLokhande

[bhushan5640]

If you haven't checked these already please check them https://community.qualys.com/thread/17842-requirements-for-being-labeled-as-vulnerable-to-robot https://community.qualys.com/thread/18082-report-mismatch-robot-tool-and-ssl-server-test

[gfsk]

Hi Bhushan,

Thanks for the links, I didn’t see the first one when initially searched on the community, that was very useful info.

According to your response in that thread, there are 2 conditions to be flagged down for ROBOT.

• Having the weak RSA ciphers supported on the server

• Implementation bug in the system/server hosting the web service

We do have a few RSA ciphers enabled across on our 2 platforms and these 2 platforms identically deployed on the same Barracuda Load Balancer with the same configuration (we have verified a few times to compare the config). The Barracuda product does not the implementation bug and is not vulnerable according to https://robotattack.org/#patches, the individual web servers are identical and patched up to date with Microsoft monthly patches.

However the results from these hosted services are still inconsistent. Both sites reports are identical on SSL Lab production server test, except the ROBOT test. https://medgate.maspcl12.medgate.com is not flagged down for ROBOT (https://www.ssllabs.com/ssltest/analyze.html?d=medgate.maspcl2.medgate.com&hideResults=on) https://medgate.maspcl2.medgate.com is flagged down for ROBOT (https://www.ssllabs.com/ssltest/analyze.html?d=medgate.maspcl12.medgate.com&hideResults=on)

At this point, we are not sure whether the results are accurate. Would oyu be able to assist and help us to understand the differences in the testing results please? In the mean time, we will test them on a few other scanning tools for ROBOT and compare the results.

Thanks, Kun

From: Bhushan Lokhande [mailto:notifications@github.com] Sent: February-28-18 6:44 AM To: ssllabs/ssllabs-scan ssllabs-scan@noreply.github.com Cc: Kun Fan Kun.Fan@cority.com; Author author@noreply.github.com Subject: Re: [ssllabs/ssllabs-scan] inconsistent testing results against ROBOT attack (#577)

If you haven't checked these already please check them https://community.qualys.com/thread/17842-requirements-for-being-labeled-as-vulnerable-to-robothttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.qualys.com%2Fthread%2F17842-requirements-for-being-labeled-as-vulnerable-to-robot&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=na5K3BKacVPt182SRIoMfjb29KYwJvw4A9MhsZQ7lc0%3D&reserved=0 https://community.qualys.com/thread/18082-report-mismatch-robot-tool-and-ssl-server-testhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.qualys.com%2Fthread%2F18082-report-mismatch-robot-tool-and-ssl-server-test&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=Ea5teZjBURvhLIAafI8gqfGAJUgMc7D40jCpoe1rIyY%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fssllabs%2Fssllabs-scan%2Fissues%2F577%23issuecomment-369214649&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=VYuD5E5iiOlQeI2ZcFYBABp2DvPDRKzjN4F1Ab%2BLCts%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAjMVawum9k1mttMMm6Yu8gb2mi6ZEeFMks5tZTwagaJpZM4SVtRF&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=zv3vr7vCVgmBg6V9%2FNhmpegR98smvun7rdFDUwKT7ho%3D&reserved=0.

[gfsk]

And forgot to mention that testing the sites on the SSL Lab dev version, both sites are not vulnerable.

Thanks, Kun From: Kun Fan Sent: March-01-18 4:09 PM To: ssllabs/ssllabs-scan reply@reply.github.com; ssllabs/ssllabs-scan ssllabs-scan@noreply.github.com Cc: Author author@noreply.github.com Subject: RE: [ssllabs/ssllabs-scan] inconsistent testing results against ROBOT attack (#577)

Hi Bhushan,

Thanks for the links, I didn’t see the first one when initially searched on the community, that was very useful info.

According to your response in that thread, there are 2 conditions to be flagged down for ROBOT.

• Having the weak RSA ciphers supported on the server

• Implementation bug in the system/server hosting the web service

We do have a few RSA ciphers enabled across on our 2 platforms and these 2 platforms identically deployed on the same Barracuda Load Balancer with the same configuration (we have verified a few times to compare the config). The Barracuda product does not the implementation bug and is not vulnerable according to https://robotattack.org/#patches, the individual web servers are identical and patched up to date with Microsoft monthly patches.

However the results from these hosted services are still inconsistent. Both sites reports are identical on SSL Lab production server test, except the ROBOT test. https://medgate.maspcl12.medgate.com is not flagged down for ROBOT (https://www.ssllabs.com/ssltest/analyze.html?d=medgate.maspcl2.medgate.com&hideResults=on) https://medgate.maspcl2.medgate.com is flagged down for ROBOT (https://www.ssllabs.com/ssltest/analyze.html?d=medgate.maspcl12.medgate.com&hideResults=on)

At this point, we are not sure whether the results are accurate. Would oyu be able to assist and help us to understand the differences in the testing results please? In the mean time, we will test them on a few other scanning tools for ROBOT and compare the results.

Thanks, Kun

From: Bhushan Lokhande [mailto:notifications@github.com] Sent: February-28-18 6:44 AM To: ssllabs/ssllabs-scan ssllabs-scan@noreply.github.com<mailto:ssllabs-scan@noreply.github.com> Cc: Kun Fan Kun.Fan@cority.com<mailto:Kun.Fan@cority.com>; Author author@noreply.github.com<mailto:author@noreply.github.com> Subject: Re: [ssllabs/ssllabs-scan] inconsistent testing results against ROBOT attack (#577)

If you haven't checked these already please check them https://community.qualys.com/thread/17842-requirements-for-being-labeled-as-vulnerable-to-robothttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.qualys.com%2Fthread%2F17842-requirements-for-being-labeled-as-vulnerable-to-robot&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=na5K3BKacVPt182SRIoMfjb29KYwJvw4A9MhsZQ7lc0%3D&reserved=0 https://community.qualys.com/thread/18082-report-mismatch-robot-tool-and-ssl-server-testhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.qualys.com%2Fthread%2F18082-report-mismatch-robot-tool-and-ssl-server-test&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=Ea5teZjBURvhLIAafI8gqfGAJUgMc7D40jCpoe1rIyY%3D&reserved=0

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fssllabs%2Fssllabs-scan%2Fissues%2F577%23issuecomment-369214649&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=VYuD5E5iiOlQeI2ZcFYBABp2DvPDRKzjN4F1Ab%2BLCts%3D&reserved=0, or mute the threadhttps://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAjMVawum9k1mttMMm6Yu8gb2mi6ZEeFMks5tZTwagaJpZM4SVtRF&data=02%7C01%7Ckun.fan%40cority.com%7Cd22baec0d0304ed07da608d57ea09f45%7Cb904dd8d08a44379bec5b8f833c381e5%7C0%7C0%7C636554150704120565&sdata=zv3vr7vCVgmBg6V9%2FNhmpegR98smvun7rdFDUwKT7ho%3D&reserved=0.

[bhushan5640]

Please check this thread, similar issue here: https://community.qualys.com/thread/18114-f-rating-for-a-website-that-has-no-rsa