AnsweredAssumed Answered

Feature proposals for SSL-Server check

Question asked by Arnim Rupp on Jan 5, 2015
Latest reply on Jan 8, 2015 by Reginald Dwyer

Hello,

 

you have this great handshake simulation so it would be useful to use that data also for grading the cipher strength of a webserver. For example if a webserver offers a bad cipher like RC4 it's not necessarily a bad thing if it's in the end of the preferred order. But it's bad, if it's in the top position and all major browsers will use it in a handshake. That the server also offers AES doesn't matter and doesn't influence the real world strength of the encrypted traffic (except perhaps for the very few people which have disabled weak ciphers in their browser). Also cipher-downgrade-attacks are a lot harder to successfully pull off than just plain sniffing and cracking the key.

 

Another feature we would like to see is to be able to check non-HTTPS services, which use SSL/TLS like SMTP, POP3, IMAP, FTP, SIP, ...

 

Regards

Arnim

Outcomes