AnsweredAssumed Answered

Grading inconsistency (or I'm misunderstanding how it grades)

Question asked by maurd on Aug 30, 2013
Latest reply on Sep 3, 2013 by Ivan Ristić

Comparing one site to another, I cannot see why one is getting capped at "B" for "BEAST Vulneralbility" when both sites accept TLS_RSA_WITH_AES_256_CBC_SHA.

 

https://www.ssllabs.com/ssltest/analyze.html?d=video.beercandle.com&hideResults=on

vs.

https://www.ssllabs.com/ssltest/analyze.html?d=www.duckduckgo.com&s=50.18.192.251

https://www.ssllabs.com/ssltest/analyze.html?d=blog.wikimedia.org&hideResults=on

 

Maybe I'm missing something, but I don't see it. This is irrigardless of that my site shouldn't even be listed as "vulnerable" since OpenSSL versions 0.9.6d and later mitigates BEAST with an “empty TLS record”. (Sources: http://blogs.cisco.com/security/beat-the-beast-with-tls/ - Fourth paragraph; http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html#NOTES)

 

So, basically I'm asking why my site is listed as vulnerable and DuckDuckGo isn't when both sites offer CBC ciphers? The kicker is that both my site and Wikimedia Blog are using identical webservers, so I feel it's not a configuration issue.

 

Thank you!

Outcomes