AnsweredAssumed Answered

Outdated Protocol Support chapter in SSL Server Rating Guide

Question asked by j-mailor on Jan 7, 2015
Latest reply on Jan 7, 2015 by tlussnig

I have checked the SSL Server Rating Guide and I have found out something in my humble opinion outdated info. SSL v3.0 score in document is 80%, but it is clear from the test that it is 0%.

 

 

 

 

 

Also "score algorithm" description is little bit confusing. Now:

1. Start with the score of the best protocol.

2. Add the score of the worst protocol.

3. Divide the total by 2.

 

But actually algorithm is:

1. If protocol SSL 2.0 or SSL 3.0 then automatically 0%.

2. Start with the score of the best protocol.

3. Add the score of the worst protocol.

4. Divide the total by 2.

Note: Maybe instead of my suggestion of adding step 1 in algorithm it could instead be described in text above like: For example, both SSL 2.0 and SSL 3.0 have known weaknesses -  if enabled score automatically 0%.





Also having SSL 2.0 and SSL 3.0 in the same table Table 3 it is confusing, because if someone has e.g. SSL 2.0 and TLS 1.2 enabled, then according to formula SSL 2.0 = 0% and TLS 1.2 is 100% and score = (100 + 0) / 2 = 50%. In my humble opinion it would be better of having two tables like:


Table 3. Special degrading ratings

ProtocolScore
SSL 2.00%
SSL 3.00%


Algorithm:

1. Start with the score of the best protocol.

2. Add the score of the worst protocol.

3. Divide the total by 2.

 

Table 4. Protocol support rating guide

ProtocolScore
TLS 1.090%
TLS 1.195%
TLS 1.2100%

Outcomes