Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

The SSL Labs results discussion thread

  • 20-05-2015 9:21am
    #1
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭


    https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fonlinebanking.aib.ie%2Finet%2Froi%2Flogin.htm

    Summary:

    This server is vulnerable to the POODLE attack against TLS servers. Patching required. Grade set to F. MORE INFO »
    This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO »
    Certificate uses a weak signature. When renewing, ensure you upgrade to SHA2. MORE INFO »
    This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO »
    The server does not support Forward Secrecy with the reference browsers. MORE INFO »

    Server Key and Certificate #1Common namesonlinebanking.aib.ieAlternative namesonlinebanking.aib.iePrefix handlingNot required for subdomainsValid fromTue, 02 Dec 2014 00:00:00 UTCValid untilThu, 03 Dec 2015 23:59:59 UTC (expires in 6 months and 13 days)KeyRSA 2048 bits (e 65537)Weak key (Debian)NoIssuerVeriSign Class 3 Secure Server CA - G3Signature algorithmSHA1withRSA WEAKExtended ValidationNoCertificate TransparencyNoRevocation informationCRL, OCSPRevocation statusGood (not revoked)TrustedYes

    SubjectVeriSign Class 3 Public Primary Certification Authority - G5
    Fingerprint: 32f30882622b87cf8856c63db873df0853b4dd27Valid untilSun, 07 Nov 2021 23:59:59 UTC (expires in 6 years and 5 months)KeyRSA 2048 bits (e 65537)IssuerVeriSign / Class 3 Public Primary Certification AuthoritySignature algorithmSHA1withRSA WEAK

    Certification PathsPath #1: Trusted1Sent by serveronlinebanking.aib.ie
    Fingerprint: 48f8a55d24aca9573d5bb6b4532d5cacd77c4dcc
    RSA 2048 bits (e 65537) / SHA1withRSA
    WEAK SIGNATURE2Sent by serverVeriSign Class 3 Secure Server CA - G3
    Fingerprint: 5deb8f339e264c19f6686f5f8f32b54a4c46b476
    RSA 2048 bits (e 65537) / SHA1withRSA
    WEAK SIGNATURE3In trust storeVeriSign Class 3 Public Primary Certification Authority - G5 Self-signed
    Fingerprint: 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5
    RSA 2048 bits (e 65537) / SHA1withRSA
    Weak or insecure signature, but no impact on root certificate

    ProtocolsTLS 1.2YesTLS 1.1YesTLS 1.0YesSSL 3 INSECUREYesSSL 2No
    Cipher Suites (SSL 3+ suites in server-preferred order; deprecated and SSL 2 suites always at the end)TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)128TLS_RSA_WITH_AES_256_CBC_SHA (0x35)256TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)112TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)128TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)256TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS128TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS256TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS112


    Protocol DetailsSecure RenegotiationSupportedSecure Client-Initiated RenegotiationSupported DoS DANGER (more info)Insecure Client-Initiated RenegotiationNoBEAST attackMitigated server-side (more info) SSL 3: 0x5, TLS 1.0: 0x5POODLE (SSLv3)No, mitigated (more info) SSL 3: 0x5POODLE (TLS)Vulnerable INSECURE (more info)Downgrade attack preventionNo, TLS_FALLBACK_SCSV not supported (more info)TLS compressionNoRC4Yes WEAK (more info)Heartbeat (extension)NoHeartbleed (vulnerability)No (more info)OpenSSL CCS vuln. (CVE-2014-0224)No (more info)Forward SecrecyNo WEAK (more info)Next Protocol Negotiation (NPN)NoSession resumption (caching)No (IDs assigned but not accepted)Session resumption (tickets)NoOCSP staplingNoStrict Transport Security (HSTS)NoPublic Key Pinning (HPKP)NoLong handshake intoleranceNoTLS extension intoleranceNoTLS version intoleranceNoIncorrect SNI alerts-SSL 2 handshake compatibilityYes


Comments

  • Closed Accounts Posts: 140 ✭✭AskAIB: Katherina


    Hi Impetus,

    At AIB we take security very seriously. We continue to implement enhanced security measures and strive to proactively improve our security systems and infrastructure against common industry threats and vulnerabilities. This is aimed at enhancing the confidentiality and integrity of data communication between AIB systems and our customers.

    Such common vulnerabilities across the industry include those that target end user secure browser sessions (better known as HTTPS or SSL). AIB is working to implement supplementary controls to improve the standards for secure online browsing. AIB encourages its customers to use up to date software (including browsers) patched to current levels to further reduce security risk.

    If you would like to get in touch with us directly, you can talk to us at AskAIB and we will be happy to help

    All the best
    Trina


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Hi Impetus,

    At AIB we take security very seriously. We continue to implement enhanced security measures and strive to proactively improve our security systems and infrastructure against common industry threats and vulnerabilities. This is aimed at enhancing the confidentiality and integrity of data communication between AIB systems and our customers.

    Such common vulnerabilities across the industry include those that target end user secure browser sessions (better known as HTTPS or SSL). AIB is working to implement supplementary controls to improve the standards for secure online browsing. AIB encourages its customers to use up to date software (including browsers) patched to current levels to further reduce security risk.

    If you would like to get in touch with us directly, you can talk to us at AskAIB and we will be happy to help

    All the best
    Trina

    Thank you for your posting. It is not a matter of personal impact on myself, as the credit limit I have given to AIB in its current position is very low and thus any money I have with that bank are not material in size.

    Triana, the best thing you could do for the bank in terms of the topic at hand is to have the IT system problems fixed, which cause the F rating here:

    https://www.ssllabs.com/ssltest/anal...oi%2Flogin.htm


  • Closed Accounts Posts: 140 ✭✭AskAIB: Katherina


    Hi Impetus,

    We appreciate your feedback and we have passed this onto our Security Team. If there's anything else we can help you with, please let us know.

    Kind regards
    Trina


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Local authorities and other government agencies involved in the collection of money via websites have very neglected security in their payments processing infrastructure, if a few random tests I have done recently are any indication of the overall position.

    Many local authorities seem to be outsourcing payment functions to https://epayments.lgcsb.ie and this website is grossly insecure with an “F” rating. https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fepayments.lgcsb.ie Their own website is at : http://www.lgcsb.ie

    Other money taking sites with problems:

    Motortax.ie 159.134.92.71 Grade “C”

    https://www.eflow.ie Toll payment M50 etc “C” (it doesn’t support TLS 1.1 and 1.2)

    TV License purchase: https://www.ssllabs.com/ssltest/analyze.html?d=tvlicence.ie “C” – it won’t support TLS 1.2 and has weak cyphers.

    NCT – car testing: https://www.ssllabs.com/ssltest/analyze.html?d=ncts.ie “C” grade.

    TLS best practice documentation: https://www.ssllabs.com/projects/documentation/

    The above is just a random selection - and should not be assumed to be comprehensive. I may test some other sites, and publish the outcome at a later date. I may also follow up known defective sites to see if they have been fixed, and report on my findings - good or bad.

    Government agencies, as well as companies, banks, insurance companies, and charities owe a duty of care to their customers to keep their computer security up to date. Clearly this duty of care is not being taken seriously in Ireland.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Thanks Katherina. I neglected to mention that AIB Business Banking also has similar issues - https://www.ssllabs.com/ssltest/analyze.html?d=ibusinessbanking.aib.ie

    This is even more critical in my mind given the larger payment limits that apply to various business customers and the size of balances on corporate accounts. I would have PM'd you, only I couldn't find a link.

    Regards

    Impetus


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Ulster Bank only manage a "C" grade on their business banking portal

    https://www.ssllabs.com/ssltest/analyze.html?d=bankline.ulsterbank.ie


  • Registered Users, Registered Users 2 Posts: 3,292 ✭✭✭0lddog


    Same as ROS.ie

    So thats OK then :eek:


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    I have no doubt that ros.ie will review the matter seriously, and take any action they feel appropriate.

    I notice that the Local Government Management Agency appear to have taken their payment processing system down – however their F rating is far more serious, than a “C”.

    Refreshingly different from the pig headed approach taken by Ryanair, refusing to allow clients connect via TLS 1.2 – the only protocol with a clear record so far. Most PCs can use TLS 1.2 and aren’t forced to use MD4, etc.

    Even if Ryanair has a lot of customers with antiquated XP sp2 or older PCs using Internet Explorer, the European travelling public should not be forced to make reservations using technology that should be in the gutter. If Ryanair has enough crappy PC users in its client base, it is a simple matter to re-route a connection from an XP sp2 or worse machine to an alternative domain – eg insecure_client_service_area.ryanair.com. With a message advertising replacement PCs at discounted prices, instead of Samsonite cases or rental cars. Pointing out that their reservation task had to be quarantined.

    Ryanair is the largest collector of personal information based in Ireland – much of it needlessly collected for the purpose of a reservation. I can only suspect that Ryanair is selling the firehose of customer data to the NSA, GDHQ and others, either directly or indirectly?

    https://www.ssllabs.com/ssltest/analyze.html?d=www.ryanair.com&s=37.18.148.99&latest

    Snowden has said on many occasions that the NSA & co use deprecation (forcing computer connections to take place at low levels of security (eg 512 bit rather than 2,048 bits). Companies that leave defunct and weak security running on their system allow this deprecation to happen, making it easy to crack the plain text of an “encrypted” stream. The only solution is to shut out weak technologies, and if necessary tell customers with old machines to do their business over a dedicated phone number – charging them extra for the service.

    For anybody interested in an A+ grade set-up have a look at Vienna based https://jabber.at which runs on Drupal 7. Configuration of system:
    https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fjabber.at

    Well worth reading : https://www.ssllabs.com/projects/best-practices/index.html

    You can check your browser at this link: https://www.ssllabs.com/ssltest/viewMyClient.html


  • Registered Users, Registered Users 2 Posts: 2,755 ✭✭✭niallb


    There's a good discussion on a recent Security Now podcast (ep 505) about the background to this and the fact that it also impacts Bank of America and many other large international banks. The RC4 cipher is the most likely default negotiated in that case because while it is weak, there were no current exploits against it when POODLE, BEAST and other attacks were examined, and it was promoted in the list to be accepted even if a better grade of encryption was offered.

    The grade applied to RC4 by sslinfo here is capped to B to allow for time to remove it, but will be downgraded to an F if still in use in September.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Jesus, even in his own thread about Ulster Bank he descends into a rant about Ryanair.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,626 ✭✭✭timmywex


    Errrrr do we need a separate thread with the results from an automated scanning website on organisations? Could i suggest using one thread maybe for them all if you like?

    Have you contacted the organisations for comment or to notify them?

    TBH there's many bigger security issues and concerns for most org's, Even though some sites are getting low ratings they are complex attacks in most cases, requiring some luck, and requiring fairly advanced knowledge above and beyond for example a script kiddie.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    https://www.ssllabs.com/ssltest/analyze.html?d=amazon.com&s=72.21.206.6

    Amazon supports SCSV for preventing protocol downgrade attacks (I have only checked AWS).

    https://datatracker.ietf.org/doc/rfc7507/

    This in my view is key to allowing secure connections for client machines that support the newest and strongest protocols. Particularly relevant for servers that have been compromised to support Windows XP SP2 and older. SHA 1 was designed by the NSA - and one can't help but think that this organization designed in the weakness to this protocol? If a client supports SHA2 and SHA3?


  • Registered Users, Registered Users 2 Posts: 1,917 ✭✭✭B00MSTICK


    I'm beginning to think a single SSL security thread may be better than having separate ones for every interesting site you look at?


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Yep. I'll box this off later.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Done. :)

    Let's keep similar posts in this thread please.


  • Registered Users, Registered Users 2 Posts: 576 ✭✭✭ifah


    Khannie wrote: »
    Done. :)

    Let's keep similar posts in this thread please.

    Cheers Khannie - could you change the Title also ? "Impetus' glorious SSLLabs Expose" or something similar.


  • Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭Impetus


    Perhaps of the word "glorious" was removed fromthe topic title, it would be more logical? Few of the servers referred to in the cases cited deserve to be in the "glory" category.

    In any event, its use and origin suggest a certain bias in the thinking of the person responsible for the creation of the title, vis-a-vis the items discussed or the general topic.


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    The glorious was meant to refer to the thread, but you don't like it, so it's removed. :)


Advertisement