Problems using My Ooma? Ideas on how we can make it better? You’ve come to the right place.
#108233 by Raptor
Fri Mar 29, 2013 6:56 am
Hello.

I just used the security test from www.ssllabs.com to check my.ooma.com.

Unfortunately it received a failing grade. This server is using insecure cipher suites, does not mitigate the BEAST attack, or the CRIME attack.

Please update the configuration on this server to ensure the security and safety of everyone using Ooma.

Thank you.
#108426 by lbmofo
Thu Apr 04, 2013 9:29 am
I saw this and was wondering if the not so good grade is really related to server security/vulnerability in relation to malicious attacks and not related to individual client sessions established. I suppose as long as the connection is secure, the purchase and other transactions on my ooma should be as secure as any out there?

TLS_DH_anon_WITH_RC4_128_MD5 (0x18) INSECURE 128
TLS_DH_anon_WITH_AES_128_CBC_SHA (0x34) INSECURE 128
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA (0x46) INSECURE 128
TLS_DH_anon_WITH_SEED_CBC_SHA (0x9b) INSECURE 128
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA (0x1b) INSECURE 168
TLS_DH_anon_WITH_AES_256_CBC_SHA (0x3a) INSECURE 256
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA (0x89) INSECURE 256

Do these anonymous components really impact how my.ooma.com is implemented and is used by users?

BEAST attack Vulnerable INSECURE
Compression Yes INSECURE
RC4 Yes PROBLEMATIC

Do these components really impact how my.ooma.com is implemented and is used by users?

I suppose that's the real question.
#108467 by Raptor
Fri Apr 05, 2013 5:37 am
The problem with the Anonymous Diffie-Hellman suites being used is that they provide no authentication. Authentication is how we ensure that we are talking with who we intend to, and no one is able to eavesdrop, through man in the middle attacks or otherwise. Often these cypher suites can easily be disabled on the server side such that they won't be allowed to be used even if a client says its capable of using them.

This a known attack vector, along with susceptibility to BEAST and CRIME. Because of the always changing nature of crypto attacks and vulnerabilities on the internet, all reasonable efforts must be made to ensure secure communication remains that way. Insecure communication must not be allowed, especially in instances where we know there is a vulnerability. Its not a matter of if someone with try to take advantage of it, just when.

Who is online

Users browsing this forum: No registered users and 3 guests