[Ach] Qualys SSL Labs - Projects / SSL Server Test / bettercrypto.org
Kurt Roeckx
kurt at roeckx.be
Wed Jan 22 19:07:58 CET 2014
On Wed, Jan 22, 2014 at 06:33:40PM +0100, Pepi Zawodsky wrote:
> Since SSLLabs updated their [SSL Server tests][0] I took the time to update our own nginx configuration to an [A+ rating][1]. Actually the only change needed was to increase Strict-Transport-Security max-age=31104000;.
>
> [0]:http://blog.ivanristic.com/2014/01/ssl-labs-stricter-security-requirements-for-2014.html "stricter Tests"
> [1]:https://www.ssllabs.com/ssltest/analyze.html?d=bettercrypto.org "bettercrypto SSL Test Result"
So it has:
* Servers that use RC4 with TLS 1.1 or TLS 1.2 protocols are given a warning. This approach allows those who are still concerned about BEAST to use RC4 with TLS 1.0 and earlier protocols (supported by older clients), but we want them to use better ciphers with protocols that are not vulnerable to BEAST. Almost all modern clients now support TLS 1.2.
But it doesn't say anything about what the result is for sites
that only support RC4 (or 3DES). I think that any site that
doesn't support AES should be capped to B or something lower.
It also says:
* Servers that do not support Forward Secrecy with our reference browsers are given a warning.
I'm not sure what that means. Does that mean that for all clients
that support FS it should negiotate FS, or is having support for
it enough?
It's my understanding that almost all browsers other than IE
prefer FS and that most servers use the browser preference havig
as result that those sites do "support" FS, just don't negiotate
it with IE.
I think not having support for FS should be a reason to cap the
grade to B or something, and that not doing it will all browser
should give the warning.
Looking at the current results, not doing it will all browser is
what currently gives you the warning.
Kurt
More information about the Ach
mailing list