AnsweredAssumed Answered

Calomel SSL vs. ssllabs.com validation tests

Question asked by j-mailor on Nov 22, 2014
Latest reply on Nov 23, 2014 by Adm Selec

Hi,

in one of the threads in this forum I saw Calomel SSL validation tool from https://calomel.org/firefox_ssl_validation.html It is a Firefox plug-in that can be installed from https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

 

I tested one of my web page and I get A- on Ssllabs test and get "Very week" on Calomel test (no perfect secrecy, SHA1 for signing).

 

I also tried github.com and it gets B on Sslabs (because having RC4 cipher enabled) and gets "Very strong" on Calomel test.

 

So this two tests returning completely different results...

 

It looks like this two tests are actually testing two different things (like apples and oranges):

- Calomel: security of current browser session,

- SSLlabs: security of overal web server's SSL implementation.

 

Calomel tests current cipher suite that is used by the current browser session, checks the certificate and similar. So it tries to figure it out how secure is current browser session. In Firefox about:config I have set security.tls.version.min=0 and security.tls.version.max=0 and in URL typed in https://github.com/ and I am getting red Broken or Untrusted. Changing security.tls.version.max=1 and getting blue Strong. Set to browser default security.tls.version.max=3 getting Very strong.

 

In the other hand ssllabs.com tries to find out the weakest link (like RC4 cipher enabled, SSLv3 enabled) on web server's SSL implementation. The attacker on web server would probably tried to brake using the weakest web server problem.

 

Am I missing something?

Regards

Outcomes