Defense in depth -- the Microsoft way (part 25): no secure connections to MSDN, TechNet, ...

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Hi @ll,

the WWW sites msdn.microsoft.com and technet.microsoft.com still
support SSLv3 for HTTPS connections, but neither TLSv1.1 nor TLSv1.2.

Additionally they prefer the weak ciphers TLS_RSA_WITH_RC4_128_MD5
and TLS_RSA_WITH_RC4_128_SHA and offer not a single cipher that
supports "forward secrecy".

See <https://www.ssllabs.com/ssltest/analyze.html?d=msdn.microsoft.com>
resp. <https://www.ssllabs.com/ssltest/analyze.html?d=msdn.microsoft.com&s=65.52.103.102>
and <https://www.ssllabs.com/ssltest/analyze.html?d=technet.microsoft.com>

Both sites are hosted on "Microsoft-IIS/8.0" which can handle TLSv1.1
and TLSv1.2 as well as ciphers that support "forward secrecy".


The WWW site answers.microsoft.com has the same bad protocol support,
but better cipher support, albeit no "forward secrecy".

See <https://www.ssllabs.com/ssltest/analyze.html?d=answers.microsoft.com>
and <https://www.ssllabs.com/ssltest/analyze.html?d=answers.microsoft.com&s=157.56.56.109>


The WWW sites support.microsoft.com and support2.microsoft.com support
TLSv1.1, TLSv1.2 and PFS, but have SSLv3 still enabled too and have NO
mitigation against POODLE.

See <https://www.ssllabs.com/ssltest/analyze.html?d=support.microsoft.com>
resp. <https://www.ssllabs.com/ssltest/analyze.html?d=support.microsoft.com&s=191.239.1.172>
and <https://www.ssllabs.com/ssltest/analyze.html?d=support2.microsoft.com>

OTOH the WWW site connect.microsoft.com (like answers.microsoft.com
hosted on "Microsoft-IIS/7.5") supports TLSv1.1, TLSv1.2 and PFS, but
has SSLv3 still enabled too.

See <https://www.ssllabs.com/ssltest/analyze.html?d=connect.microsoft.com>


Finally take a look at the WWW site social.microsoft.com alias
social.msdn.microsoft.com alias social.technet.microsoft.com: NO SSLv3,
NO weak ciphers, TLSv1.1, TLSv1.2 and PFS enabled.

See <https://www.ssllabs.com/ssltest/analyze.html?d=social.msdn.microsoft.com>

But even there MSFT could do better and offer ciphers with GCM and PFS!


outlook.com alias www.outlook.com has SSLv3 enabled, no mitigation against
BEAST and POODLE, and supports weak ciphers with RC4 but no ciphers with GCM!

Some of the servers of [www.]outlook.com are even worse than ANY of the above:
See <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.245.70>,
<https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.236.214>,
<https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.232.166>,
<https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.241.102>
and <https://www.ssllabs.com/ssltest/analyze.html?d=outlook.com&s=157.56.245.166>


live.com supports weak ciphers with RC4 but no ciphers with GCM!


JFTR: compare MSFTs deeds to their following words^Wannouncements:
      <http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/>
      <http://blogs.microsoft.com/on-the-issues/2014/07/01/advancing-our-encryption-and-transparency-efforts/>
      <http://blogs.microsoft.com/cybertrust/2014/08/07/strengthening-encryption-for-microsoft-azure-customers/>
      <http://azure.microsoft.com/blog/2014/08/07/tlsssl-cipher-suite-enhancements-and-perfect-forward-secrecy/>
      
<http://blogs.microsoft.com/cybertrust/2014/10/28/microsofts-commitment-to-protect-customer-data-through-encryption-continues/
>

      MSFT, are you really (REALLY!) serious abouth better encryption?

      Apparently the user credentials (formerly known as "passport ID",
      then "Live ID" and nowadays "Microsoft account") that are used for
      your mail account on Outlook.com, your data on OneDrive or Azure,
      to access the downloads for MSDN/TechNet subscribers on MSDN/TechNet
      or the support groups are no user data worth to protect.-(


regards
Stefan Kanthak


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/