Closed Bug 1142703 Opened 7 years ago Closed 6 years ago

www.usairways.com is RC4 only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jvehent, Unassigned)

References

()

Details

(Whiteboard: [sitewait])

$ ./cipherscan www.usairways.com
..
Target: www.usairways.com:443

prio  ciphersuite  protocols              pfs_keysize
1     RC4-SHA      TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 7200
OCSP stapling: not supported
Server side cipher ordering
Right now I can load https://www.usairways.com/ just fine (and it redirects to a non-SSL site), but I can't load https://checkin.usairways.com/ if I have security.tls.unrestricted_rc4_fallback set to false.

So they might have fixed their main www. SSL server [or else I'd be blocked when trying to load the https://www. URL], but https://checkin.usairways.com/ is definitely still RC4-only.
(Scratch that, I can't load https://www.usairways.com/ anymore. I'm guessing I was only able to load it in comment 1 because it's on the whitelist -- but now we're ignoring the whitelist in Nightly.)
SSL Labs analysis:

https://www.ssllabs.com/ssltest/analyze.html?d=usairways.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.usairways.com&s=162.92.180.51&latest

 If we're going to contact them, here are some possible contact points:
Twitter: http://twitter.com/americanair
Facebook: https://www.facebook.com/AmericanAirlines
Contactlink (for registered users, apparently): http://www.usairways.com/MEMBERSHIP/Login.aspx?returnURL=http://www.usairways.com/en-US/contact/default.html

I tweeted. Might be a waste of time - you never know..
Whiteboard: [sitewait]
Fixed.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.