https://bugzilla.wikimedia.org/show_bug.cgi?id=73644
Bug ID: 73644 Summary: Payment processor website uses RC4 for https encryption Product: Wikimedia Version: wmf-deployment Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: Unprioritized Component: Fundraising Assignee: wikibugs-l@lists.wikimedia.org Reporter: axel+wikime...@axelsimon.net CC: fr-t...@wikimedia.org Web browser: --- Mobile Platform: --- Hi, When trying to make a donation, after entering the amount I wanted to donate I was redirected to a server, ott9.wpstn.com. From what I can tell, it's a WorldPay.ca (payment processor) server. Having configured Firefox to refuse all connections using the RC4 cipher for SSL/TLS (as RC4 is deprecated and considered insecure), I was not able to establish a connection to the server (Firefox shows the “no cipher overlap” error). An SSL test for the domain shows that it indeed offers RC4 (and nothing else): https://www.ssllabs.com/ssltest/analyze.html?d=ott9.wpstn.com This is bad. RC4-encrypted traffic has been likened by some infosec researchers to “no encryption” and the NSA can allegedly break it in real-time. Here is the (very poor) list of ciphers offered by the server: TLS_RSA_WITH_RC4_128_MD5 (0x4) 128 TLS_RSA_WITH_RC4_128_SHA (0x5) 128 TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) ECDH 571 bits (eq. 15360 bits RSA) FS 128 Furthermore, the server is still offering SSLv3. That should also be disabled, following the POODLE vulnerability published about a month ago. The server should be offering modern encryption (forward secrecy, no SSL, strong non-deprecated ciphers). Here is a good guide on how to do it on Apache2: https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html I hope this can be resolved quickly as the Wikipedia fundraising campaign is ongoing and I don't feel comfortable giving in such conditions nor recommending others do so, even if I believe it is really important they do support Wikipedia, when the payment processor's security is in such a sad state. -- You are receiving this mail because: You are the assignee for the bug. You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list Wikibugs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikibugs-l