Update on Beast SSL Issue:
I can have confirmed that the servers are fully patched up to date including covering MS12-0006 as part of the Azure automatic maintenance and why our pen testers have not reported it . We do however still advertise the effected ciphers on TLS 1.0 and not SSL v3 transport protocols (checked on http://www.serversniff.net/content.php?do=ssl ), SSL v2 is deprecated and removed already, TLS 1.1 and TLS 1.2 are not currently deployed and we will also enable these for clients that can use them; these protocols were never susceptible to the beast attack.
We therefore should not be vulnerable to Beast but will take a belt and braces approach of also reconfiguring the ciphers sets on the next release to be compliant with the PCI SSL cipher recommendations. That’s is to prioritise the RC4 based ciphers over the cipher block chaining mode ciphers, and we don’t have any weak (<128bit) encryption enabled.
Timeframes: We are currently in the final stages of testing the next release and will roll out the cipher changes to our beta environment over the next couple of days and there after the following week we will roll out the changes in the live environment.
Regards
Stuart
Stuart Fraser | Chief Technology Officer
m: +44 (0)7966 242718
e: " title="Click to send email to Stuart Fraser" target="_blank">
Identity assured by miiCard : http://miicard.me/stuart.png
From: T.Rob [mailto: " target="_blank"> ]
Sent: 19 May 2013 14:52
To: James Varga; Stuart Fraser; 'ProjectVRM list'
Subject: RE: [projectvrm] RE: Duking it out with miicard - T.Rob style
Sorry for the double email, this occurred to me after hitting [send]. What I said before about being friendly to the list was serious. Had the site come to the attention of someone like Pauldotcom, Dark Tangent, Moxie Marlinspike or any of the security crowd who cultivate a "rogue hacker" reputation, the result would have been more of a scorched earth campaign and any request for retraction would result in more intensely focused attention from that community, big media attention of the wrong sort, and possibly widespread DOS attacks on password resets and other mischief. These guys don't post to your community list. They expose you in featured presentations at a security conference.
So if my post here and on my tiny little blog can have the significant negative effects described, imagine what someone who truly takes an adversarial approach and has a massive following on their blog and podcast can cause, including attention from WSJ, NYT, The Register, etc. (I can provide lots of examples where this has happened in the past.) Also, if that level of negative coverage is associated with VRM it taints the entire community.
This is why I stir up a little dust in the VRM community. If people are worried about what *I* might say in public, they are more likely to get involved with OWASP, design to those standards and avoid popping up on the radar of the Pauldotcom's of the world. But, unlike those guys, I'm not doing it to sell my services (I do security but not web site pen tests) or build my reputation at the expense of unwitting victims as many security people do, but rather because I'd like to see more VRM services I'd actually want to use and entrust with my data. Anyone here who thinks I'm dangerous needs to recalibrate what they consider hostile or high profile.
-- T.Rob
From: T.Rob [ " target="_blank">mailto: ]
Sent: Sunday, May 19, 2013 9:04 AM
To: 'James Varga'; 'Stuart Fraser'; 'ProjectVRM list'
Subject: RE: [projectvrm] RE: Duking it out with miicard - T.Rob style
Point taken, James. That's the opposite of what I intended so I've removed all but the security aspects of the post and reworded those to remove a bit of what Schnier would call "security theatre." Chances are high that nobody is really going to reset your password during a keynote. On the other hand, I still would refrain from logging in from the Defcon event.
-- T.Rob
From: James Varga [ " target="_blank">mailto: ]
Sent: Sunday, May 19, 2013 4:41 AM
To: T.Rob; Stuart Fraser; 'ProjectVRM list'
Subject: RE: [projectvrm] RE: Duking it out with miicard - T.Rob style
Thanks.
Not having had benefit of your recent rants maybe I took it out of context. Personally I don’t believe we need to resort to naming and shaming in a first attempt. Especially on a community like this we should be able to offer a suggestion and for it to be taken seriously – its why I’ve signed up…to get this sort of feedback and insight. Again thanks for taking the time.
It may have a more negative effect than you had hopped for given your blog post is public and ‘names and shames’ some of our key investors. We have a board meeting this week and I will do doubt have to defend the situation now and given that we are in the process of trying to raise more money – timing isn’t so great. A retraction or update on the public blog post would be great.
If the vulnerability is indeed a false – negative a retraction on that would also be helpful. Users not signing up because the site isn’t secure (I know this isn’t the truth but it’s the tone of your post) isn’t again helpful.
Thanks again for taking the time to reply. Stuart or I will reply on the BEAST vulnerability early in the week and I’ll come back to you on the password management myself.
Have a great weekend.
Cheers,
James Varga | Chief Executive Officer
m: +44 (0)7957 143 996
e: " title="Click to send email to James Varga" target="_blank">
Identity assured by miiCard : http://miicard.me/james.varga.png
Archive powered by MHonArc 2.6.19.