[Ach] Updated Mozilla TLS guide

MacLemon metalab.at at maclemon.at
Wed Oct 15 17:30:36 CEST 2014

On 15 Oct 2014, at 16:22, Aaron Zauner <azet at azet.org> wrote:

> I used the same tool about a week ago on bettercrypto.org:443. I mailed you guys to update to our current cipherstring (which also forbids SEED as well as the anon-DH ciphers old openssl versions might negotiate) :)

Keep in Mind that bettercrypto.org:443 gives self-contradicting results on the SSLLabs servertest due to advanced TLS/SNI-SSL Trickery.
Only clients connecting with proper ciphers will get to the real website. Insecure negotiations will get a placeholder page telling them they need to update.

See the supported ciphers and compare to the handshake simulation.
XP is able to connect whith a cipher suite that is not shown as active at all.

SSLLabs Test doesn't (yet) detect this trickery to separate the good and the bad and ugly clients. (This is being worked on.)


More information about the Ach mailing list