Infinite second

Enter the 36 chambers of infrastructure wu-tang

Friday, April 04, 2008

Devilish details (more on my TLS config obsession)

I updated the TLS tool to check the complete order of preference for all ciphers supported by a given server. While the good ones stayed darned good, the bad ones got even worse. Here are a couple of examples. Notice that, in both cases, the weakest, non-export ciphers are at the top, and there doesn't seem to be any sense to the ordering of the rest of the ciphers. In the case of Facebook, they even prefer several export-grade ciphers over those using ephemeral keying!

Facebook

test run at Sat Apr 05 11:32:09 -0700 2008

grade for www.facebook.com:443 is low

supported protocols for www.facebook.com:
-> SSLv3, TLSv1

default cipher for www.facebook.com:
-> RC4-MD5 TLSv1/SSLv3

server certificate strength is low
-> excessive certificate lifetime (Fri Sep 28 23:53:12 UTC 2007 to Tue Sep 28 23:53:12 UTC 2010)
-> MD5, RSAEncryption, 1024 bits
-> expires Tue Sep 28 23:53:12 UTC 2010

valid ciphers for www.facebook.com, in order of preference:
-> RC4-MD5 TLSv1/SSLv3
-> RC4-SHA TLSv1/SSLv3
-> AES128-SHA TLSv1/SSLv3
-> AES256-SHA TLSv1/SSLv3
-> DES-CBC3-SHA TLSv1/SSLv3
-> DES-CBC-SHA TLSv1/SSLv3
-> EXP-RC4-MD5 TLSv1/SSLv3
-> EXP-DES-CBC-SHA TLSv1/SSLv3
-> DHE-RSA-AES256-SHA TLSv1/SSLv3
-> EDH-RSA-DES-CBC3-SHA TLSv1/SSLv3
-> DHE-RSA-AES128-SHA TLSv1/SSLv3
-> EDH-RSA-DES-CBC-SHA TLSv1/SSLv3
-> EXP-EDH-RSA-DES-CBC-SHA TLSv1/SSLv3
-> EXP-RC2-CBC-MD5 TLSv1/SSLv3


Amazon

test run at Sat Apr 05 11:30:07 -0700 2008

grade for www.amazon.com:443 is low

supported protocols for www.amazon.com:
-> SSLv2, SSLv3, TLSv1

default cipher for www.amazon.com:
-> RC4-MD5 TLSv1/SSLv3

server certificate strength is low
-> SHA1, RSAEncryption, 1024 bits
-> expires Wed Sep 17 23:59:59 UTC 2008

valid ciphers for www.amazon.com, in order of preference:
-> RC4-MD5 TLSv1/SSLv3
-> RC4-MD5 SSLv2
-> RC4-SHA TLSv1/SSLv3
-> DES-CBC3-SHA TLSv1/SSLv3
-> AES256-SHA TLSv1/SSLv3
-> AES128-SHA TLSv1/SSLv3
-> DES-CBC-SHA TLSv1/SSLv3
-> EXP-RC4-MD5 TLSv1/SSLv3
-> EXP-RC4-MD5 SSLv2
-> EXP-DES-CBC-SHA TLSv1/SSLv3
-> EXP-RC2-CBC-MD5 TLSv1/SSLv3
-> EXP-RC2-CBC-MD5 SSLv2
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)