AnsweredAssumed Answered

Hardening site to go from B to A..

Question asked by Ian Pettman on Aug 13, 2014
Latest reply on Mar 30, 2015 by Fritz Frei

Following the article http://googleonlinesecurity.blogspot.co.uk/2014/08/https-as-ranking-signal_6.html

we went to https://www.ssllabs.com/ssltest/ and tested one of our sites

we got a B:

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available

The server does not support Forward Secrecy with the reference browsers.

we are using ii7 on windows 2008 fully patched. we ran the recommended https://www.nartac.com/Products/IISCrypto/Default.aspx app for best practice settings and rebooted the server

 

we went to https://www.ssllabs.com/ssltest/ cleared the cashe and tested our site

 

 

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

 

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available

The server does not support Forward Secrecy with the reference browsers.

We discussed this with our isp who recommended disabling SSL 3.00 and RC4 168/168 as this would only invalidate XP users running IE6 (curiously 0.25% of our audience but 0 secs page view) and did so the corresponds to FIPS 140-2 but has MD 5 on and rebooted the server

we went to https://www.ssllabs.com/ssltest/ cleared the cashe and tested our site

 

The server supports only older protocols, but not the current best TLS 1.2. Grade capped to B.

 

RC4 cipher is used with TLS 1.1 or newer protocols, even though stronger ciphers are available

The server does not support Forward Secrecy with the reference browsers.

 

Suggestions please...

 

Outcomes