[Bug 73644] New: Payment processor website uses RC4 for https encryption

Thu, 20 Nov 2014 02:28:06 -0800 

https://bugzilla.wikimedia.org/show_bug.cgi?id=73644

            Bug ID: 73644
           Summary: Payment processor website uses RC4 for https
                    encryption
           Product: Wikimedia
           Version: wmf-deployment
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Unprioritized
         Component: Fundraising
          Assignee: [email protected]
          Reporter: [email protected]
                CC: [email protected]
       Web browser: ---
   Mobile Platform: ---

Hi,
When trying to make a donation, after entering the amount I wanted to donate I
was redirected to a server, ott9.wpstn.com.
From what I can tell, it's a WorldPay.ca (payment processor) server.

Having configured Firefox to refuse all connections using the RC4 cipher for
SSL/TLS (as RC4 is deprecated and considered insecure), I was not able to
establish a connection to the server (Firefox shows the “no cipher overlap”
error).

An SSL test for the domain shows that it indeed offers RC4 (and nothing else):
https://www.ssllabs.com/ssltest/analyze.html?d=ott9.wpstn.com

This is bad. RC4-encrypted traffic has been likened by some infosec researchers
to “no encryption” and the NSA can allegedly break it in real-time.

Here is the (very poor) list of ciphers offered by the server:
TLS_RSA_WITH_RC4_128_MD5 (0x4)     128
TLS_RSA_WITH_RC4_128_SHA (0x5)     128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)   ECDH 571 bits (eq. 15360 bits RSA)  
FS        128

Furthermore, the server is still offering SSLv3. That should also be disabled,
following the POODLE vulnerability published about a month ago.

The server should be offering modern encryption (forward secrecy, no SSL,
strong non-deprecated ciphers).
Here is a good guide on how to do it on Apache2:
https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

I hope this can be resolved quickly as the Wikipedia fundraising campaign is
ongoing and I don't feel comfortable giving in such conditions nor recommending
others do so, even if I believe it is really important they do support
Wikipedia, when the payment processor's security is in such a sad state.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
_______________________________________________
Wikibugs-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikibugs-l

Reply via email to