AnsweredAssumed Answered

[Improvement suggestion] Different warning or "not-a-bug" for no forward secrecy with Internet Explorer

Question asked by Adm Selec on Feb 12, 2015
Latest reply on Feb 13, 2015 by Adm Selec

Internet Explorer is not smart enough to support traditional Diffie-Hellman, only elliptic curve. Legacy servers are vice versa, thus no forward secrecy with Internet Explorer.

 

Qualys SSL Labs - Projects / SSL Server Test / mozilla.org

 

The server does not support Forward Secrecy with the reference browsers.


 

IE 8-10 / Win 7  RTLS 1.0TLS_RSA_WITH_AES_128_CBC_SHA (0x2f No FS128
IE 11 / Win 7  RTLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA (0x2f No FS128
IE 11 / Win 10 Preview  RTLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA (0x2f No FS128
IE 11 / Win 8.1  RTLS 1.2TLS_RSA_WITH_AES_128_CBC_SHA (0x2f No FS128


 

Forward SecrecyWith some browsers


Eavesdropper already knows that a user downloads Firefox, they are smart enough not to use Internet Explorer for anything else .

In my country the total IE market share is 6%, and this is only because of the educational institutions and organizations' obsolete Software Restriction Policies. Eventually, other browsers are allowed or even preinstalled by IT staff, so the use of IE is considered to be an accident.

So is this warning important? Using IE isn't secure anyway.

 

Suggestions below:

 

The server does not support Forward Secrecy with Internet Explorer.

 

or

 

The server does not support Forward Secrecy with the browser downloading software.

(my favourite)

 

--------------------------------------------------

 

Forward SecrecyYes, except Internet Explorer

 

or

 

Forward SecrecyNot with Internet Explorer

Outcomes