Apr 7, 2014

How Secure is The IRS's SSL Implementation? Not very

I write posts like this periodically. Mainly because implementing SSL is one of my duties at my day job. Not only that, I have to implement it and make sure it follows best practices for PCI Compliance.

Every time I use a site that uses SSL, I always look at their certificate information then I also go a step further and run a server test against the site using the SSL Labs tool. It spits out a report of which ciphers and protocols are implemented, and what kind of attacks can be used against that server to compromise security.

Well I happened to be on the IRS site to request old tax transcripts and I decided to run a test. The IRS received an F rating!

As you can see the IRS site is vulnerabe to man in the middle attacks, and if you scroll down further on the report page you see they are vulnerable to The BEAST. Kind of pathetic for a government website if you ask me. However they aren't the only government agency with poor SSL implementation.
Enhanced by Zemanta

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam