[aklug] Re: [NUGA] Re: If you are still running SSLv2, you should disable it ASAP

From: Royce Williams <royce@tycho.org>
Date: Thu Mar 03 2016 - 08:33:30 AKST

A few updates:

1. The dev version of Qualys SSL Labs at
https://dev.ssllabs.com/ssltest/analyze.html now has experimental indirect
checking for DROWN (by special arrangement, Ivan Ristic is pulling in
censys.io data directly for DROWN).

Here are two Alaskan examples. The first one passes the DROWN check; the
second one fails.

https://dev.ssllabs.com/ssltest/analyze.html?d=arcticbikeclub.org
https://dev.ssllabs.com/ssltest/analyze.html?d=cableedge.gci.net

2. Last night, I rescanned all hosts previously noted as having SSLv2
enabled, so http://www.techsolvency.com/tls/ has fresh SSLv2 re-check
results. If someone *enabled* SSLv2 in the meantime, I won't have that
data for a while. You can put "2016-03-0" in the search box to see all of
the recent re-scans.

3. If any of you do business with Lunarpages hosting, could you inquire
with them directly? They are severely behind in patching and they have
severely weak DH parameters (512 bits). My attempts to contact them have
been largely ignored. Please forward them the weakdh.org link, if you
would. The associated hosts and results are:

HostTest dateGradeCert expiresRevocCert issuerCert chainSSLv2SSLv3TLS1.0
TLS1.1TLS1.2BEAST vulnCRIME vulnHeartbleed vulnCCS vulnPOODLE
SSLPOODLE TLSFREAK
vulnWeak DHDH primesReneg issuesMain sigAlgint SHA1RC4Key strFwd
SecSCSVHSTSServer
signatureRisk scoreTest ver
*actalaska.org <https://actalaska.org/>*
216.97.232.210
(gaspra.lunarpages.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=actalaska.org> | JSON
<http://www.techsolvency.com/tls/data/json/actalaska.org.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/actalaska.org.dump.txt> |www
<https://www.actalaska.org/> 2016-03-03 07:48:58 F expd: 2010-06-06 revoc
not checked (0) rare issuer chain OK (0) no SSLv2 no SSLv3 TLS1.0 on no
TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS, OK? (2) no POODLE
SSL no POODLE TLS (1) FREAK vuln DH weak (1024) known weak vuln (2) (2) sec
sv reneg SHA1 RSA no SHA1 int RC4 on keystr 1024 partial FS (1) one proto no
HSTS Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 25 1.21.14
*anchorageaudubon.org <https://anchorageaudubon.org/>*
74.50.0.45
(macha.lunarservers.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=anchorageaudubon.org>
 | JSON
<http://www.techsolvency.com/tls/data/json/anchorageaudubon.org.json.txt> |
dump
<http://www.techsolvency.com/tls/data/dump/anchorageaudubon.org.dump.txt> |
www <https://www.anchorageaudubon.org/> 2016-03-03 07:49:35 F exp:
2019-03-09 cert not revoked (2) common issuer (COMODO) chain OK (0) no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS
OK (1) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (1024) known weak
vuln (2) (2) sec sv reneg SHA256 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e
fips rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 mod_fcgid/2.3.6 18
1.21.14
*cityofbarrow.org <https://cityofbarrow.org/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=cityofbarrow.org> |
JSON <http://www.techsolvency.com/tls/data/json/cityofbarrow.org.json.txt>
 | dump
<http://www.techsolvency.com/tls/data/dump/cityofbarrow.org.dump.txt> |www
<https://www.cityofbarrow.org/> 2016-03-03 07:49:49 F expd: 2015-06-18 revoc
not checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS,
OK? (2) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak
vuln (2) (2) sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*drgeorgestransky.com <https://drgeorgestransky.com/>*
67.210.123.20
(distaff.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=drgeorgestransky.com>
 | JSON
<http://www.techsolvency.com/tls/data/json/drgeorgestransky.com.json.txt> |
dump
<http://www.techsolvency.com/tls/data/dump/drgeorgestransky.com.dump.txt> |
www <https://www.drgeorgestransky.com/> 2016-03-03 07:47:12 F exp:
2019-03-09 cert not revoked (2) common issuer (COMODO) chain OK (0) no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS,
OK? (2) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak
vuln (2) (2) sec sv reneg SHA256 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.5 19 1.21.14
*fireweed400.com <https://fireweed400.com/>*
216.97.230.65
(muphrid.lunarpages.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=fireweed400.com> |
JSON <http://www.techsolvency.com/tls/data/json/fireweed400.com.json.txt> |
dump <http://www.techsolvency.com/tls/data/dump/fireweed400.com.dump.txt> |
www <https://www.fireweed400.com/> 2016-03-03 07:47:09 F exp: 2019-03-09 cert
not revoked (2) common issuer (COMODO) chain: self-signed root (16); no
SSLv2 no SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no
Heartbleed CCS OK (1) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak
(1024) known weak vuln (2) (2) sec sv reneg SHA256 RSA no SHA1 int RC4
on keystr
2048 partial FS (1) one proto no HSTS Apache/2.0.64 (Unix) mod_ssl/2.0.64
OpenSSL/0.9.8e fips rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4
mod_fcgid/2.3.6 18 1.21.14
*flyalaska.com <https://flyalaska.com/>*
67.210.126.150
(valina.lunarpages.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=flyalaska.com> | JSON
<http://www.techsolvency.com/tls/data/json/flyalaska.com.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/flyalaska.com.dump.txt> |www
<https://www.flyalaska.com/> 2016-03-03 07:47:43 F expd: 2013-03-29 revoc
not checked (0) common issuer (Go Daddy) chain OK (0) no SSLv2 no SSLv3 TLS1.0
on TLS1.1 on TLS1.2 on BEAST vuln no CRIME no Heartbleed CCS OK (1) no
POODLE SSL no POODLE TLS (1) no FREAK no weak DH no primes (2) sec sv
reneg SHA1
RSA int SHA1 RC4 on keystr 2048 partial FS (1) has SCSV no HSTS Apache/2.2.27
(Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e fips mod_bwlimited/1.4 mod_fcgid/2.3.9
13 1.21.14
*g2const.com <https://g2const.com/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=g2const.com> | JSON
<http://www.techsolvency.com/tls/data/json/g2const.com.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/g2const.com.dump.txt> |www
<https://www.g2const.com/> 2016-03-03 07:48:01 F expd: 2015-06-18 revoc not
checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0
on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS, OK? (2) no
POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak vuln (2) (2)
sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial FS (1) one
proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*inupiatgov.com <https://inupiatgov.com/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=inupiatgov.com> |
JSON <http://www.techsolvency.com/tls/data/json/inupiatgov.com.json.txt> |
dump <http://www.techsolvency.com/tls/data/dump/inupiatgov.com.dump.txt> |
www <https://www.inupiatgov.com/> 2016-03-03 07:48:03 F expd: 2015-06-18 revoc
not checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS,
OK? (2) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak
vuln (2) (2) sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*kbrw.org <https://kbrw.org/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=kbrw.org> | JSON
<http://www.techsolvency.com/tls/data/json/kbrw.org.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/kbrw.org.dump.txt> |www
<https://www.kbrw.org/> 2016-03-03 07:50:13 F expd: 2015-06-18 revoc not
checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0
on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS, OK? (2) no
POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak vuln (2) (2)
sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial FS (1) one
proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*paamg.net <https://paamg.net/>*
74.50.26.207
(cronus.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=paamg.net> | JSON
<http://www.techsolvency.com/tls/data/json/paamg.net.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/paamg.net.dump.txt> |www
<https://www.paamg.net/> 2016-03-03 07:49:14 B exp: 2016-04-04 cert not
revoked (2) common issuer (COMODO) chain OK (0) no SSLv2 no SSLv3
TLS1.0 on TLS1.1
on TLS1.2 on BEAST vuln no CRIME no Heartbleed CCS test failed (-1) no
POODLE SSL no POODLE TLS (1) no FREAK DH weak (1024) known weak vuln (2) (2)
sec sv reneg SHA256 RSA no SHA1 int RC4 on keystr 2048 modern FS (2) no SCSV no
HSTS Microsoft IIS/8.5 12 1.21.14
*techgn.com <https://techgn.com/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=techgn.com> | JSON
<http://www.techsolvency.com/tls/data/json/techgn.com.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/techgn.com.dump.txt> |www
<https://www.techgn.com/> 2016-03-03 07:48:07 F expd: 2015-06-18 revoc not
checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0
on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS, OK? (2) no
POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak vuln (2) (2)
sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial FS (1) one
proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*voipalaska.com <https://voipalaska.com/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=voipalaska.com> |
JSON <http://www.techsolvency.com/tls/data/json/voipalaska.com.json.txt> |
dump <http://www.techsolvency.com/tls/data/dump/voipalaska.com.dump.txt> |
www <https://www.voipalaska.com/> 2016-03-03 07:48:44 F expd: 2015-06-18 revoc
not checked (0) common issuer (COMODO) chain: incomplete (2); no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS,
OK? (2) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (512) known weak
vuln (2) (2) sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.7a
mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
mod_fcgid/2.3.6 24 1.21.14
*web.akalpinelodge.com <https://web.akalpinelodge.com/>*
67.210.118.23
(lily.lunarbreeze.com)
Qualys
<https://www.ssllabs.com/ssltest/analyze.html?d=web.akalpinelodge.com> |
JSON
<http://www.techsolvency.com/tls/data/json/web.akalpinelodge.com.json.txt>
 | dump
<http://www.techsolvency.com/tls/data/dump/web.akalpinelodge.com.dump.txt> |
www <https://www.web.akalpinelodge.com/> 2016-03-03 07:47:11 F expd:
2015-06-18 revoc not checked (0) common issuer (COMODO) chain: incomplete
(2); no SSLv2 no SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no
Heartbleed CCS, OK? (2) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak
(512) known weak vuln (2) (2) sec sv reneg SHA1 RSA no SHA1 int RC4 on keystr
2048 partial FS (1) one proto no HSTS Apache/2.2.24 (Unix) mod_ssl/2.2.24
OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635 mod_fcgid/2.3.6 24 1.21.14
*whsyc.org <https://whsyc.org/>*
67.210.116.230
(mars.lunarpages.com)
Qualys <https://www.ssllabs.com/ssltest/analyze.html?d=whsyc.org> | JSON
<http://www.techsolvency.com/tls/data/json/whsyc.org.json.txt> | dump
<http://www.techsolvency.com/tls/data/dump/whsyc.org.dump.txt> |www
<https://www.whsyc.org/> 2016-03-03 07:50:25 F exp: 2019-03-09 cert not
revoked (2) common issuer (COMODO) chain: self-signed root (16); no SSLv2 no
SSLv3 TLS1.0 on no TLS1.1 no TLS1.2 BEAST vuln no CRIME no Heartbleed CCS
OK (1) no POODLE SSL no POODLE TLS (1) FREAK vuln DH weak (1024) known weak
vuln (2) (2) sec sv reneg SHA256 RSA no SHA1 int RC4 on keystr 2048 partial
FS (1) one proto no HSTS Apache/2.0.64 (Unix) mod_ssl/2.0.64 OpenSSL/0.9.8e
fips rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 mod_fcgid/2.3.6 Sun
ONE ASP/4.0.3 18 1.21.14
Royce
‚Äč

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Thu Mar 3 06:51:43 2016

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:51:43 AKST