Closed Bug 842055 Opened 12 years ago Closed 12 years ago

Everything.me API is vulnerable to BEAST attack

Categories

(Firefox OS Graveyard :: Gaia::Everything.me, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Everything.me
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: st3fan, Assigned: ranbena)

References

Details

See output of the TestSSLServer application that scans for the BEAST and CRIME vulnerabilities. This can be fixed by using the appropriate SSL server settings. I think this is important to fix as the everything.me API is used to deliver essential content to the application. % java -jar TestSSLServer.jar api.everything.me 443 Supported versions: SSLv3 TLSv1.0 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): SSLv3 RSA_WITH_RC4_128_MD5 RSA_WITH_RC4_128_SHA RSA_WITH_3DES_EDE_CBC_SHA RSA_WITH_AES_128_CBC_SHA RSA_WITH_AES_256_CBC_SHA (TLSv1.0: idem) ---------------------- Server certificate(s): 49b2a1870e273722967205a1a3a1c300635ed4d1: CN=*.everything.me, OU=IT, O=DoAT Media Ltd., L=Tel Aviv, ST=Isael, C=IL, SERIALNUMBER=hfQS-TOEDJ3nn45fu-d0Uywh2r2mfogU ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: vulnerable CRIME status: protected
Assignee: nobody → ran
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.