Mark Straver

Sites without secure renegotiation + older TLS should get lower grades

Discussion created by Mark Straver on Jan 3, 2015
Latest reply on Feb 17, 2015 by Adm Selec

Sites that do not have secure renegotiation enabled and that do not support current TLS versions (1.2) should get lower grades.

This combination (often TLS 1.0 and secure renegotiation disabled) forces browsers to use an insecure brute-force fallback protocol negotiation - something that is not in any spec but implemented in a number of the "big" browsers to connect "at all costs", but not implemented in other browsers that adhere more closely to the spec and providing tighter security that way. These sites also fail to negotiate a connection with many of the listed simulated browsers (at first attempt).

 

Currently, the SSL Labs test commonly still grades these sites with a "B", but IMHO they should be graded considerably lower - server operators need to be made very aware that action is required to prevent connection issues and to prevent the use of a very undesirable "brute force" multiples-attempt connection.

Outcomes