AnsweredAssumed Answered

Suggestions how to improve SSLtest

Question asked by j-mailor on Jul 25, 2013
Latest reply on Nov 10, 2013 by asoryanm

Hi,

first of all many thanks for making ssllabs.com/ssltest. This is excellent starting point for SSL security testing.

 

I have some suggestions how to improve SSLtest (hope this helps):

 

OVERAL RATING

1. Provide quick info how each of the "Certificate", "Protocol Support", "Key Exchange", "Chipher Strength" are evaluated.

Maybe something like mouse over particular graph and post quick info. I know there is Rating Guide, but just for quick info.

 

2. In Overal Rating in my case I have tested it was displayed that rating was down to B because of possible BEAST attack, but page got C rating and no quick info displayed why grade was down to C. It would be nice if grade is less then A then some quick info why.

 

 

PROTOCOLS

3. If web page does not support TLS 1.2 then flag is displayed: "This site supports only older protocol versions, but not the most recent and more secure TLS 1.2." in Overal Rating section, but if you scrool down to Protocols section there is just "TLS 1.2 ....... No" without a color. I suggest if TLS 1.2 is No then mark it orange. Maybe also if protocol TLS 1.0 is Yes then both TLS 1.1 and TLS 1.2 should be marked orange if there are No (organge color should only have No text).

 

Currently there is no marking what Yes/No is should be set.

 

HANDSHAKE SIMULATION

4. If possible update browsers to Chrome 28, Firefox 22. It would be nice to be added the latest Firefox ESR which is our company only permited (this is currently Firefox 17 ESR).

 

 

PROTOCOL DETAILS

5. When "Forward Secrecy" is displayed as No it should be marked with orange, just like "RC4" is marked with orange. I have overlooked this settings, because I thought No is OK. Google made Forward Secrecy attention and makes prefered order of chipers that support it when there web page is accessed.

 

6. It would be nice to have a "CRIME attack" section and mark it if "vulnerable" or not (just like BEAST attack). And please add (more info) to: https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls

I know CRIME attack can be achieved with SSL/TLS compression. What does Compression mean in this section? Probably "TLS Compression" (maybe rename it to make sure this is not some HTTP compression).

 

7. If web page is vulnerable to e.g. BEAST attack then "(more info)" link is added. But if web page is not vulnerable then this link is not displayed. I think link should be always displayed. Someone may have a wish to read what is BEAST attack when web page is protected, so difficult to optain info.

 

MISCELLANEOUS

8. "HTTP server signature" I see a lot of web sites telling what version they have installed. Some have very old version of Apache and displaying the world how not updated there are. Maybe mark this orange if too much info is exposed or just make some "more info" of telling that: a) sysadmins should update software and b) hide as much info from potential attacker as possible.

 

P.S. If I missed some of the settings that should be marked orange if there is not OK, then please do so.

 

Regards

Outcomes