Skip navigation

Ivan Ristic

Does not want to have a tagline.
Login or Sign Up to find out more about ivanr
Name:
Ivan Ristic
Status Level:
Level 5 Level 5 (2,080 points)
Member Since:
Jul 23, 2010
Company:
Qualys  
Occupation:
Director of Application Security Research  
Groups:
QSC 2011 - London   QSC 2012 - Las Vegas

Recent Activity

Ivan Ristic replied to SSL Report incorrectly reports IE6 / XP as working with SHA2 certificates

"Marc,   It's not a bug. I've just verified that IE6 (XP SP3) can be used with a SHA256 certificate. SSL Labs uses one."

in SSL Labs 1 replies
9 hours ago
Ivan Ristic replied to ellipitical curves in ECDHE and Dual_EC_DRBG

"There are two separate issues. Dual EC DRBG is one. However, most browsers today support only NIST's named curves for ECDHE, and some worry"

in SSL Labs 1 replies
15 hours ago
Ivan Ristic replied to Both SSLv3 and SSLv2 showing as disabled in scan report

"> Now here is the strange thing in your test it shows both SSL v2 and v3 as disabled, but the site still scores a A-?   Why is that strange"

in SSL Labs 2 replies
15 hours ago
Ivan Ristic replied to dual certificates (safari bug?)

"Safari used to have a bug that prevented it from negotiating ECDHE+ECDSA suites. Because of this, some sites resorted to fingerprinting Safa"

in SSL Labs 1 replies
15 hours ago
Ivan Ristic replied to IE 8 / XP  Protocol or cipher suite mismatch

"IIRC, IIS does not support client-initiated renegotiation since version 6. The AllowInsecureRenegoClients is just to allow clients who do no"

in SSL Labs 5 replies
16 hours ago
Ivan Ristic replied to Machine-readable data/API for site results

"Yes, of course, but a JSON dump is our API   Long-term caching of last results is possible, but it's not trivial. We have multiple servers"

in SSL Labs 4 replies
1 day ago
Ivan Ristic replied to Inconsistent scan results

"Never mind. I have experienced the problem myself and now have a much better understanding of it. I think that was one of our servers gettin"

in SSL Labs 5 replies
1 day ago
Ivan Ristic replied to Inconsistent scan results

"I am sure it's resolvable. Understanding why it happens might be difficult, given that I have never experienced the problem. Intermittent is"

in SSL Labs 5 replies
1 day ago
Ivan Ristic replied to Inconsistent scan results

"Is this a freshly-created domain name? We have multiple servers, and it's possible that they had different views of the name until the cache"

in SSL Labs 5 replies
1 day ago
Ivan Ristic replied to Batch Testing SSL Server Test

"No, not at the moment. I'll consider the feature for a future release."

in SSL Labs 2 replies
2 days ago
Ivan Ristic replied to SSL test doesn't warn when reference browsers use RC4 if server doesn't support TLS 1.2

"That's because the site is already penalized for not supporting TLS 1.2. We're treating all sites equally: using RC4 with TLS 1.0 and earlie"

in SSL Labs 1 replies
2 days ago
Ivan Ristic commented on Configuring Apache, Nginx, and OpenSSL for Forward Secrecy

"Apache 2.2.15 does not support Forward Secrecy, which is probably why it's not working for you. Further, CentOS6 might also be disabling Ell"

in Security Labs 46 comments 1 bookmarks
2 days ago
Ivan Ristic replied to SSL Certificate keeps changing on IIS7, I don't have any idea what keeps changing it?

"It's difficult to give the exact steps, because so much depends on the context.   Start by checking the certificate from the server itself,"

in SSL Labs 3 replies
2 days ago
Ivan Ristic replied to Implement TLS 1.2 in Pound Loadbalancer

"With OpenSSL 0.9.8k, you are not going to be able to support TLS 1.2, no matter what software you use.   Upgrading the system version of Op"

in SSL Labs 2 replies
2 days ago
Ivan Ristic replied to Heartbleed OpenSSL

"Hi Sarah,   It means that the feature has not been fully tested, according to our standard for production features. For example, we had to"

in SSL Labs 1 replies
2 days ago
Ivan Ristic replied to Incorrect date calculation on Qualys own test

"Hi Pierre,   While the actual checks take into account the current time, the "expires in" text is approximate. If you're curious why that i"

in SSL Labs 4 replies
2 days ago
Ivan Ristic replied to HSTS shows in curl, but Not in SSLLabs Test

"It's probably that SSL Labs could not find the HSTS header. For example, perhaps you don't have the header when accessed without the www pre"

in SSL Labs 1 replies
2 days ago
Ivan Ristic replied to Machine-readable data/API for site results

"Hi Eric,   We do have an API, but it's now publicly available at the moment. Sorry. We are (and will be) considering making it available, b"

in SSL Labs 4 replies
2 days ago
Ivan Ristic replied to How is an ssl certificate issuer validated?

"Yes, there is math behind the verification. Each certificate includes a signature from the Certificate Authority; the signature can be crypt"

in SSL Labs 1 replies
2 days ago
Ivan Ristic replied to OCSP stapling

"Yes, we'll consider it for the next version of the grading criteria."

in SSL Labs 2 replies
2 days ago
Ivan Ristic replied to Feature Request: Display Key Exchange parameters in SSL Server Test

"Hi Reto,   We already show the key exchange parameters for the DHE and ECDHE key exchanges. For example:   https://www.ssllabs.com/ssltest"

in SSL Labs 2 replies
2 days ago
Ivan Ristic modified SSL Labs Test for the Heartbleed Attack

"Heartbleed is a name for a critical vulnerability in OpenSSL, a very widely deployed SSL/TLS stack. A coding error had been made in the Open"

in Security Labs 17 comments 1 bookmarks
1 week ago
Ivan Ristic replied to HSTS unknown and Pound proxy

"Thanks for catching that. Will fix. (I don't understand how they could have put that in the "Examples" section, without mentioning it in 6.1"

in SSL Labs 3 replies
1 week ago
Ivan Ristic replied to HSTS unknown and Pound proxy

"The initial request goes like this:   GET / HTTP/1.0 Host: www.example.com User-Agent: SSL Labs (https://www.ssllabs.com/about/assessment"

in SSL Labs 3 replies
1 week ago
Ivan Ristic replied to How to disable Insecure Client-Initiated Renegotiation in IIS8

"David,   IIS should not support client-initiated renegotiation at all (starting with IIS6). It's possible that there is another device or s"

in SSL Labs 2 replies
1 week ago