my.ooma.com fails SSL test

Problems using My Ooma? Ideas on how we can make it better? You’ve come to the right place.
Post Reply
Raptor
Posts: 18
Joined: Mon Oct 01, 2012 3:25 pm

my.ooma.com fails SSL test

Post by Raptor » Fri Mar 29, 2013 6:56 am

Hello.

I just used the security test from www.ssllabs.com to check my.ooma.com.

Unfortunately it received a failing grade. This server is using insecure cipher suites, does not mitigate the BEAST attack, or the CRIME attack.

Please update the configuration on this server to ensure the security and safety of everyone using Ooma.

Thank you.

Raptor
Posts: 18
Joined: Mon Oct 01, 2012 3:25 pm

Re: my.ooma.com fails SSL test

Post by Raptor » Thu Apr 04, 2013 9:25 am

Any comments from Ooma reps on this issue?

User avatar
lbmofo
Posts: 9337
Joined: Sun Mar 14, 2010 7:37 pm
Location: Greater Seattle
Contact:

Re: my.ooma.com fails SSL test

Post by lbmofo » Thu Apr 04, 2013 9:29 am

I saw this and was wondering if the not so good grade is really related to server security/vulnerability in relation to malicious attacks and not related to individual client sessions established. I suppose as long as the connection is secure, the purchase and other transactions on my ooma should be as secure as any out there?

TLS_DH_anon_WITH_RC4_128_MD5 (0x18) INSECURE 128
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE 128
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE 128
TLS_DH_anon_WITH_SEED_CBC_SHA (0x9b) INSECURE 128
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE 168
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE 256
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE 256

Do these anonymous components really impact how my.ooma.com is implemented and is used by users?

BEAST attack Vulnerable INSECURE
Compression Yes INSECURE
RC4 Yes PROBLEMATIC

Do these components really impact how my.ooma.com is implemented and is used by users?

I suppose that's the real question.
Customer Since: 3/13/10
Hardware: Telo & Hub
Service: Premier 12/06/10
Verizon Port: 3/15/10 - 4/02/10
Internet: 100 Mbps/10 Mbps
Setup: SB6141/R6700/Ooma
MainStreetSHARES Ebates: get Ca$h Back when you shop online!!

Image

Raptor
Posts: 18
Joined: Mon Oct 01, 2012 3:25 pm

Re: my.ooma.com fails SSL test

Post by Raptor » Fri Apr 05, 2013 5:37 am

The problem with the Anonymous Diffie-Hellman suites being used is that they provide no authentication. Authentication is how we ensure that we are talking with who we intend to, and no one is able to eavesdrop, through man in the middle attacks or otherwise. Often these cypher suites can easily be disabled on the server side such that they won't be allowed to be used even if a client says its capable of using them.

This a known attack vector, along with susceptibility to BEAST and CRIME. Because of the always changing nature of crypto attacks and vulnerabilities on the internet, all reasonable efforts must be made to ensure secure communication remains that way. Insecure communication must not be allowed, especially in instances where we know there is a vulnerability. Its not a matter of if someone with try to take advantage of it, just when.

Post Reply