We have moved at community.getvera.com

Author Topic: home.getvera.com should secure the SSL on their server  (Read 1981 times)

Offline obrith

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
home.getvera.com should secure the SSL on their server
« on: January 10, 2015, 01:45:40 pm »
This is unbelievable - They have direct access into my/your home network and don't appear to make any effort to secure theirs:

https://www.ssllabs.com/ssltest/analyze.html?d=home.getvera.com&s=65.19.129.174&latest

Solid F. Their servers haven't been patched in a long time and don't follow basically any best practices.

Offline futzle

  • Beta Testers
  • Master Member
  • *****
  • Posts: 3260
  • Karma: +192/-9
Re: home.getvera.com should secure the SSL on their server
« Reply #1 on: January 12, 2015, 04:02:13 pm »
It takes a while to run, so here are choice snippets from the output:

Quote
home.getvera.com (65.19.129.174) overall rating F

Quote
This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate.

Disabling SSL3 will upset users of Internet Explorer 6, which does not implement TLS, the replacement for SSL.  It's my opinion that users of IE6 are not upgraders and are hence not a large source of money to companies these days.

Quote
This server is vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224) and exploitable. Grade set to F.

This vulnerability seems to be a Man-in-the-middle attack, which means your Internet Provider or the intelligence arm of your government can intercept your communication.  "Fortunately", Vera is already vulnerable to this attack through using a common SSH tunnel key, so CVE-2014-0224 doesn't open the attack surface any wider than it already is.

Quote
This server accepts the RC4 cipher, which is weak. Grade capped to B.

Compared to the above two vulnerabilities, this one is less significant.  It would mostly affect older browsers.

If anyone asks why I run Vera on a subnet in my home, I'll point them to this thread.

Offline steets250

  • Full Member
  • ***
  • Posts: 151
  • Karma: +3/-2

Offline synthesizerpatel

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
Re: home.getvera.com should secure the SSL on their server
« Reply #3 on: January 22, 2015, 03:20:25 am »
You're putting the cart before the horse if you're concerned about the SSL config being bad.

I watched my VeraEdge upgrade and  it's not even downloading firmware over SSL. Hopefully it's a signed binary..

Code: [Select]
http://builder1204.mios.com/mt7620a_betafirmware/mt7620a_Luup_ui7-1.7.906-en-mios.squashfs
              - DIRECT/65.19.129.175 -

1421881311.631     76 192.168.1.33 TCP_MISS/200 22316 GET
http://builder1204.mios.com/mt7620a_betafirmware/mt7620a_Luup_ui7-1.7.906-en-mios.sh -
              DIRECT/65.19.129.175 text/x-sh

1421881311.717     61 192.168.1.33 TCP_MISS/200 356 GET
http://builder1204.mios.com/mt7620a_betafirmware/mt7620a_Luup_ui7-1.7.906-en-mios.sh.md5 -
              DIRECT/65.19.129.175 text/x-sh

1421881311.818     61 192.168.1.33 TCP_MISS/200 332 GET
http://builder1204.mios.com/mt7620a_betafirmware/mt7620a_Luup_ui7-1.7.906-en-mios.squashfs.md5 - DIRECT/65.19.129.175 -