Thursday, December 18, 2014

Chase Online still vulnerable to POODLE for TLS

Like a lot of companies, Chase Online (owned by JP Morgan) uses the F5 BigIP to handle SSL/TLS for its web services. If your web services run on IIS that is a pretty sensible decision but only as long as the F5 is secure. As of the morning of Dec 18,2014 the Chase site is still vulnerable to POODLE for TLS. What make this worthy of a blog post is that there is a patch for the F5 box and it has been available since Dec 8, 2014. I applied it to my employer's machines on Dec 13 and it brought our score on the Qualys SSL tester from an "F" to a much more comfortable "A-".

This will not affect me directly because I don't bank with Chase and I recently canceled my last credit card with them. Still, I think it displays a contemptuous attitude toward customers not to expedite patching such a highly visible system.