Reply
Mar 26 2013
By: InfinityDevil I Only Post Everything 1006 posts
Offline

Great work on SSL: "A" for sign-in, "C" for Store.

[ Edited ]
2 replies 125 views Edited Mar 26, 2013

Just wanted to congratulate Sony on having an A grade on the SSL security testing of the sign-on server:

 

https://www.ssllabs.com/ssltest/analyze.html?d=account.sonyentertainmentnetwork.com

 

Lots of banks and other sites don't pass that test as well as Sony does here.

 

BUT the store gets a C-grade:

https://www.ssllabs.com/ssltest/analyze.html?d=store.sonyentertainmentnetwork.com

PSNProfiles.com - InfinityDevil
Message 1 of 3 (125 Views)
Reply
0 Likes
Treasure Hunter
Registered: 04/05/2009
Offline
8202 posts
 

Re: Great work on SSL: "A" for sign-in, "C" for Store.

Mar 26, 2013

InfinityDevil wrote:

 

BUT the store gets a C-grade:

https://www.ssllabs.com/ssltest/analyze.html?d=store.sonyentertainmentnetwork.com


It's because of this:

 

 

ciphersuite.png



 

For the "weakness" the Store has, the reason this is because that the servers support "cheap" 40-bit encryption. Yes, 40-bits can be broken easy, however they also support "expensive" 128-bit or 256-bit encryption. My best guess is that they use the "expensive" encryption for actual transactions and purchases, and the "cheap" one for loading not-so-important things like text, images and video. If they left the images and video unencrypted, your browser will throw up an error about unsecure items being on the page which is a way to drive people away from the store.

 

 

Also, keeping your internet browser up to date, using Windows Update and keeping your Java up to date is a good way to mitigate the "BEAST Attack." This makes use of a specially-crafted Java Applet to compromise the contents of SSL, HOWEVER it only affects non-updated users who's using an internet browser more than a year old (*cough* Internet Explorer 6).

 

The Beast Attack was patched by Microsoft in January 2012, then Mozilla patched it on Mar. 22, 2012 and was rolled out in Mozilla Firefox and Google Chrome.

 

 

TLDR: Don't worry. Smiley Tongue

 

Message 2 of 3 (106 Views)
Reply
0 Likes
Highlighted
I Only Post Everything
Registered: 02/14/2001
Offline
1006 posts
 

Re: Great work on SSL: "A" for sign-in, "C" for Store.

Apr 8, 2013

Doppelgangergang wrote:

InfinityDevil wrote:

 

BUT the store gets a C-grade:

https://www.ssllabs.com/ssltest/analyze.html?d=store.sonyentertainmentnetwork.com


It's because of this:

 

 

ciphersuite.png



 

For the "weakness" the Store has, the reason this is because that the servers support "cheap" 40-bit encryption. Yes, 40-bits can be broken easy, however they also support "expensive" 128-bit or 256-bit encryption. My best guess is that they use the "expensive" encryption for actual transactions and purchases, and the "cheap" one for loading not-so-important things like text, images and video. If they left the images and video unencrypted, your browser will throw up an error about unsecure items being on the page which is a way to drive people away from the store.

 

 

Also, keeping your internet browser up to date, using Windows Update and keeping your Java up to date is a good way to mitigate the "BEAST Attack." This makes use of a specially-crafted Java Applet to compromise the contents of SSL, HOWEVER it only affects non-updated users who's using an internet browser more than a year old (*cough* Internet Explorer 6).

 

The Beast Attack was patched by Microsoft in January 2012, then Mozilla patched it on Mar. 22, 2012 and was rolled out in Mozilla Firefox and Google Chrome.

 

 

TLDR: Don't worry. Smiley Tongue

 


Weak encryption options are a problem because they make users more susceptible to man in the middle attacks.

 

This doesn't matter if you're connecting from your PC web browser, MacOS web browser, PS Vita Store, or PS3 Store.  If someone is between you and the internet -- someone on the WiFi at your favorite public hotspot perhaps -- they can intercept the initial connection request that is asking for a nice 128bit or higher cipher, turn around to where you're sending it and say "I can only do 40 bit", and it will negotiate a 40bit connection and then turn around and hand you that connection instead.  It depends on what your device accepts.  I believe that it can't negotiate a separate 128bit connection with you and a 40bit connection in the middle -- it would be an end-to-end 40bit connection.

 

They need to get rid of 40bit connections.  Most servers that permit them have done so out of laziness, not checking default configurations.

PSNProfiles.com - InfinityDevil
Message 3 of 3 (75 Views)
Reply
0 Likes