Thursday, December 18, 2014

Chase Online still vulnerable to POODLE for TLS

Like a lot of companies, Chase Online (owned by JP Morgan) uses the F5 BigIP to handle SSL/TLS for its web services. If your web services run on IIS that is a pretty sensible decision but only as long as the F5 is secure. As of the morning of Dec 18,2014 the Chase site is still vulnerable to POODLE for TLS. What make this worthy of a blog post is that there is a patch for the F5 box and it has been available since Dec 8, 2014. I applied it to my employer's machines on Dec 13 and it brought our score on the Qualys SSL tester from an "F" to a much more comfortable "A-".

This will not affect me directly because I don't bank with Chase and I recently canceled my last credit card with them. Still, I think it displays a contemptuous attitude toward customers not to expedite patching such a highly visible system.

1 comment:

  1. Chase.com still scores an F on SSLlabs.com for failure to apply a patch for POODLE TLS (on most of their IP-addresses).

    It's now 1/11 - several days past the deadline imposed by the PCI-DSS to implement the F5-patch (provided that they're terminating SSL on the BIG-IPs).

    It's troubling that the PCI-DSS allows for known vulnerabilities to persist for up to one month, but it's even more troubling that banks like Chase are unable to implement a patch even within that generous time-frame.

    ReplyDelete

Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.