The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My work

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,798 other followers

List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too

Posted by jpluimers on 2016/10/24

This Plain Text Offenders site lists email screenshots of organisations sending back plain-text passwords they kept on file (According to Robert Love, Idera/Embarcadero should be on the list as well).

It is one of the most horrible things that can be done for a password.

Business and IT do many horrible things, so I really hope someone will start a similar site about SSL Labs F-rated domains. The ones that are so broken that they degraded their https to virtually plain-text http quality.

In the past, a notorious example of this was Embarcadero, who in the past managed to get F-rating or had wrong configurations on the below domains, therefore preventing me from logging in and getting new products from them (which is far worse than them not cleaning up their bug database):

As maintaining proper security infrastructure is an on-going event, SSL Labs increase their rating criteria over time, so I wasn’t hold my breath, but currently mostare now grade C. Still not good, but good enough. Notable exceptions:

  • tp.embarcadero.com still doesn’t support https, though partners enter their credentials there
  • http://www.embarcadero.com still had grade F for a long time for just one of the IP-addresses; that only recently got fixed so they are now grade B
  • forums.embarcadero.com:563 cannot be checked by SSL Labs (as it uses NNTP over SSL), but is still very vulnerable

As testssl.sh lists more details, here are the results over time (I wish I had kept all of the older testssl output as gists, but back then I was getting the openssl binaries for SSL done and not realizing SSL Labs records would expire):

host testssl.sh
20151011
testssl.sh
20150917
testssl.sh
20150826
members.embarcadero.com https://gist.github.com/5830aa0cc1d863449edf
tp.embarcadero.com https://gist.github.com/2d2ee1cf999de514727f
quality.embarcadero.com https://gist.github.com/a4312ca7883dd9fd58b2
community.embarcadero.com https://gist.github.com/9e21ce721a4de4d6110f
forums.embarcadero.com https://gist.github.com/11845dc200a57f788cb6
edn.embarcadero.com https://gist.github.com/e220a19bdee940d59604
store.embarcadero.com https://gist.github.com/3a3c675b9bea5854114a
http://www.embarcadero.com https://gist.github.com/d2900a708f758deecc59
forums.embarcadero.com:563 https://gist.github.com/873006565128fc2807b0 https://gist.github.com/9dace8ae2824e544a2dd https://gist.github.com/c24d1867188089948a2e

–jeroen

via:

SSL Labs Grade F example

SSL Labs Grade F example

 

The Quality site was the least secure halfway 2016

The Quality site was the least secure halfway 2016

3 Responses to “List of “Plain Text Offenders”; hopefully someone publishes a list of https offenders too”

  1. KMorwath said

    I wonder if Embarcadero knows what GDPR is, and that it will be active from May 2018. Data breaches will be heavily fined, especially when they lead to the disclosure of personal information. Everybody who still uses Delphi and other Embarcadero tools, and sell in Europe, should start to assess how safe their applications are – because their customer will also have to assess it. Non compliance can be costly.

    Just, remember Embarcadero is the company that doesn’t give you sound encryption algorithms out of the box, hiding behind the finger of export regulations… I wonder how RAD Server is secure as well.

    But I’m sure syntactic sugar will get more attention in the next releases than security.

  2. Snorlax said

    Never too careful!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: