DVC member web site using old encryption

[ScubaCat]

I'd just like to send a shout out to DVD and commend them on their awesome website security, or lack thereof. Using deprecated DH with an anonymous 128-bit cipher... excellent. It's actually hard to find a site with an SSL Labs "F" grade these days, but the DVC site is holding firm to bringing up the bottom. I guess it's safe in that it only works half the time anyway.

 

[kdonnel]

Not really a problem. Your browser will not select that cipher.

From stack exchange:
Some of the standard cipher suites are intentionally weak in some way. There are:

• some cipher suites with no encryption at all, only integrity check, e.g. TLS_RSA_WITH_NULL_SHA;
• some cipher suites with 40-bit encryption, such as TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5(cipher suites meant to comply with the stringent US export rules from last century -- these regulations have been mostly lifted at the end of the Bill Clinton era);
• some cipher suites with 56-bit encryption, such as TLS_RSA_WITH_DES_CBC_SHA. 56-bit DES is breakable with existing technology, but that's still a bit hard for an amateur (even a bored student with access to a few hundred university machines), so I tend to qualify 56-bit DES as "medium strength".

This opens the road to a variant of version rollback attacks, in which the attacker forces client and server to agree on a weak cipher suite, the idea being that the attacker modifies the list of cipher suites announced by the client. This is workable for the attacker if the selected cipher suite is so weak that he can break it in order to recompute an apparently correct Finished message. Actually, the MAC used in SSLv3+ (even when based on MD5) is robust enough to prevent that. So no actual worry here. Also, my opinion is that any real weakness here is when a client or a server accepts to use a weak cipher suite at all.

By default, modern Web browsers do not allow the use of such weak cipher suites.

 

[ScubaCat]

Yes, most likely your session will be fine.

Nevertheless, the fact that it's even presented or negotiated at all is still bad. Technical jargon aside, it's the same reason just seeing one little bed bug is a BIG problem. If they can't manage one little thing like that, it's no telling what else is broken on the back end. (I'm assuming that some device, like an F5 or something, does SSL offload)

I spend an annoying percentage of my career on cipher suites, encryption protocols, and all kinds of seemingly inane things for various compliance certifications. Believe me, even allowing those to be negotiated is not good.

But... Oh well

 

[_auroraborealis_]

High quality IT, like I always say.

 

[drusba]

I have not the foggiest idea what everyone just said. Can someone tell me in language an IT idiot can understand whether this means the DVC member site is safe or do I have a reason to be seriously concerned that the information it has on me can be easily hacked?

 

[paults]

Disney's not making enough money YET to pay this guys to produce a working website. Maybe they should raise more prices

 

[CraigInPA]

They can't pass PCI/DSS with that configuration. I would guess they are a level 2 merchant, which means they have to have an annual audit. Either their auditor isn't doing their job, or Disney has recently turned back the clock to support that old cipher and, in the process, blown their certification.

 

[jerseyduke]

Did you check to see the grades of the bajillion places that actually DID have data breaches?

 

[ScubaCat]

Usually a "B" SSL Labs rating is what I'd expect unless you're a bank or something. I can understand the "B" because going to an "A" will break IE 8 which effectively breaks Windows XP users (unless they use a different browser like Firefox or Chrome). There's still enough people using XP that I wouldn't want to limit them.

It won't hurt YOUR particular connection, but I wonder why they have most everything set correctly but left a couple of old, weak ciphers enabled externally like that. Makes me wonder if they're using that for some legacy system and they forgot to lock it down properly. Still, it's shoddy. If you can't fix the easy stuff........