Full Disclosure mailing list archives

By Date By Thread Defense in depth -- the Microsoft way (part 25): no secure connections to MSDN, TechNet, ... From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Fri, 26 Dec 2014 22:49:19 +0100

Hi @ll, the WWW sites msdn.microsoft.com and technet.microsoft.com still support SSLv3 for HTTPS connections, but neither TLSv1.1 nor TLSv1.2. Additionally they prefer the weak ciphers TLS_RSA_WITH_RC4_128_MD5 and TLS_RSA_WITH_RC4_128_SHA and offer not a single cipher that supports "forward secrecy". See <https://www.ssllabs.com/ssltest/analyze.html?d=msdn.microsoft.com> resp. <https://www.ssllabs.com/ssltest/analyze.html?d=msdn.microsoft.com&s=65.52.103.102> and <https://www.ssllabs.com/ssltest/analyze.html?d=technet.microsoft.com> Both sites are hosted on "Microsoft-IIS/8.0" which can handle TLSv1.1 and TLSv1.2 as well as ciphers that support "forward secrecy". The WWW site answers.microsoft.com has the same bad protocol support, but better cipher support, albeit no "forward secrecy". See <https://www.ssllabs.com/ssltest/analyze.html?d=answers.microsoft.com> and <https://www.ssllabs.com/ssltest/analyze.html?d=answers.microsoft.com&s=157.56.56.109> The WWW sites support.microsoft.com and support2.microsoft.com support TLSv1.1, TLSv1.2 and PFS, but have SSLv3 still enabled too and have NO mitigation against POODLE. See <https://www.ssllabs.com/ssltest/analyze.html?d=support.microsoft.com> resp. <https://www.ssllabs.com/ssltest/analyze.html?d=support.microsoft.com&s=191.239.1.172> and <https://www.ssllabs.com/ssltest/analyze.html?d=support2.microsoft.com> OTOH the WWW site connect.microsoft.com (like answers.microsoft.com hosted on "Microsoft-IIS/7.5") supports TLSv1.1, TLSv1.2 and PFS, but has SSLv3 still enabled too. See <https://www.ssllabs.com/ssltest/analyze.html?d=connect.microsoft.com> Finally take a look at the WWW site social.microsoft.com alias social.msdn.microsoft.com alias social.technet.microsoft.com: NO SSLv3, NO weak ciphers, TLSv1.1, TLSv1.2 and PFS enabled. See <https://www.ssllabs.com/ssltest/analyze.html?d=social.msdn.microsoft.com> But even there MSFT could do better and offer ciphers with GCM and PFS! outlook.com alias www.outlook.com has SSLv3 enabled, no mitigation against BEAST and POODLE, and supports weak ciphers with RC4 but no ciphers with GCM! Some of the servers of [www.]outlook.com are even worse than ANY of the above: See <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.245.70>, <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.236.214>, <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.232.166>, <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.241.102> and <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.245.166> live.com supports weak ciphers with RC4 but no ciphers with GCM! JFTR: compare MSFTs deeds to their following words^Wannouncements: <http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/> <http://blogs.microsoft.com/on-the-issues/2014/07/01/advancing-our-encryption-and-transparency-efforts/> <http://blogs.microsoft.com/cybertrust/2014/08/07/strengthening-encryption-for-microsoft-azure-customers/> <http://azure.microsoft.com/blog/2014/08/07/tlsssl-cipher-suite-enhancements-and-perfect-forward-secrecy/> <http://blogs.microsoft.com/cybertrust/2014/10/28/microsofts-commitment-to-protect-customer-data-through-encryption-continues/ MSFT, are you really (REALLY!) serious abouth better encryption? Apparently the user credentials (formerly known as "passport ID", then "Live ID" and nowadays "Microsoft account") that are used for your mail account on Outlook.com, your data on OneDrive or Azure, to access the downloads for MSDN/TechNet subscribers on MSDN/TechNet or the support groups are no user data worth to protect.-( regards Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Defense in depth -- the Microsoft way (part 25): no secure connections to MSDN, TechNet, ... Stefan Kanthak (Dec 27)