smaug

IE6 Handshake Simulation failures should either be removed (EOL client) or NOT be in red

Discussion created by smaug on Nov 9, 2014
Latest reply on Jan 8, 2015 by Rob_T

I am proposing a change to the Handshake Simulation section for SSL Labs reports so that any failures, such as lack of SSLv3, will NOT BE SHOWN IN RED. Many developers implementing HTTPS on their websites associate the red with something bad that they need to fix. In this case, the red is actually something good for the Internet, meaning that SSLv3 is not supported. Many website operators may actually go back and downgrade their HTTPS to support SSLv3 to "fix" that "issue". More broadly, I would think that all End-of-Life (EOL) or unsupported configurations should be removed from this section. At the very least, the color should be changed to orange. IE5 is not included on the client list and why is that? Because it is unsupported and should not be considered any longer. The same is true with IE6 / Windows XP. Java6 is also EOL. Ideally, all EOL clients should be removed from that section too. Thoughts?

 

"""

Handshake Simulation
...
IE 6 / XP   No FS 1   No SNI 2Protocol or cipher suite mismatchFail3

...

(3) Only first connection attempt simulated. Browsers tend to retry with a lower protocol version.

"""

Outcomes