The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming

    20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now

    20140424-Windows-7-free-disk-space

    More Photos
  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,722 other followers

List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too

Posted by jpluimers on 2016/10/24

This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).

It is one of the most horrible things that can be done for a password.

Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.

In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):

As maintaining proper security infrastructure is an on-going event, SSL Labs increase their rating criteria over time, so I wasn’t hold my breath, but currently mostare now grade C. Still not good, but good enough. Notable exceptions:

  • tp.embarcadero.com still doesn’t support https, though partners enter their credentials there
  • http://www.embarcadero.com still had grade F for a long time for just one of the IP-addresses; that only recently got fixed so they are now grade B
  • forums.embarcadero.com:563 cannot be checked by SSL Labs (as it uses NNTP over SSL), but is still very vulnerable

As testssl.sh lists more details, here are the results over time (I wish I had kept all of the older testssl output as gists, but back then I was getting the openssl binaries for SSL done and not realizing SSL Labs records would expire):

host testssl.sh
20151011
testssl.sh
20150917
testssl.sh
20150826
members.embarcadero.com https://gist.github.com/5830aa0cc1d863449edf
tp.embarcadero.com https://gist.github.com/2d2ee1cf999de514727f
quality.embarcadero.com https://gist.github.com/a4312ca7883dd9fd58b2
community.embarcadero.com https://gist.github.com/9e21ce721a4de4d6110f
forums.embarcadero.com https://gist.github.com/11845dc200a57f788cb6
edn.embarcadero.com https://gist.github.com/e220a19bdee940d59604
store.embarcadero.com https://gist.github.com/3a3c675b9bea5854114a
http://www.embarcadero.com https://gist.github.com/d2900a708f758deecc59
forums.embarcadero.com:563 https://gist.github.com/873006565128fc2807b0 https://gist.github.com/9dace8ae2824e544a2dd https://gist.github.com/c24d1867188089948a2e

–jeroen

via:

SSL Labs Grade F example

SSL Labs Grade F example

 

The Quality site was the least secure halfway 2016

The Quality site was the least secure halfway 2016

One Response to “List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too”

  1. Snorlax said

    Never too careful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: