I just used the security test from www.ssllabs.com to check my.ooma.com.
Unfortunately it received a failing grade. This server is using insecure cipher suites, does not mitigate the BEAST attack, or the CRIME attack.
Please update the configuration on this server to ensure the security and safety of everyone using Ooma.
TLS_DH_anon_WITH_RC4_128_MD5 (0x18) INSECURE 128
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE 128
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE 128
TLS_DH_anon_WITH_SEED_CBC_SHA (0x9b) INSECURE 128
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE 168
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE 256
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE 256
Do these anonymous components really impact how my.ooma.com is implemented and is used by users?
BEAST attack Vulnerable INSECURE
Compression Yes INSECURE
RC4 Yes PROBLEMATIC
Do these components really impact how my.ooma.com is implemented and is used by users?
I suppose that's the real question.
This a known attack vector, along with susceptibility to BEAST and CRIME. Because of the always changing nature of crypto attacks and vulnerabilities on the internet, all reasonable efforts must be made to ensure secure communication remains that way. Insecure communication must not be allowed, especially in instances where we know there is a vulnerability. Its not a matter of if someone with try to take advantage of it, just when.