AnsweredAssumed Answered

suggestions for server ratings

Question asked by Lily Wilson on Nov 15, 2014
Latest reply on Nov 19, 2014 by John Public

IMO the server rating guide really needs to be updated, with things like POODLE, BEAST, and the weaknesses in RC4 in mind. of like to suggest the following changes:

 

protocol support:

SSL 2.0 or 3.0: 0%

TLS 1.0: 60%

TLS 1.1: 90%

TLS 1.2: 100%

 

cipher strength: rate RC4 as being <128-bit. maybe also rate 3DES as 112-bit. right now it's displayed by the test as 112-bit, but doesn't seem to lower the score like a <128-bit strength cipher should. it may also be a good idea to make a change like this:

no encryption: 0%

<112-bit: 20%

<128-bit: 40%

<256-bit: 80%

≥256-bit: 100%

 

also, it'd be nice to adjust the key exchange rating to better match up with the cipher strength rating, use the equivalences from Re: New Time and Space Based Key Size Equivalents for RSA and Diffie-Hellman, and take the subgroup size of DH parameters into account, like so:

weak key or anonymous exchange: 0%

<2048-bit or DH subgroup <224-bit: 20%

<2550-bit or DH subgroup <256-bit: 40%

<6700-bit or DH subgroup <384-bit: 80%

<13500-bit or DH subgroup <512-bit: 90%

≥13500-bit and if applicable, DH subgroup ≥512-bit: 100%

Outcomes