First of all i want to say thank to SSLLABS team for great work and great online service!
We use your online service for deep analysis of the configuration of our SSL/TLS web-servers and after 1 month of using we have some questions and we would be grateful for answers.
1. Where POODLE?
Please explain the following situation (may be again).
After the scan we have got this summary:
Explain please, why POODLE mitigated? Why CipherSuite with RC4 before CipherSuite with CBC made POODLE mitigated (i really cant find explanation).
For example, if user of Internet Explorer 6 (without "V" on TLS 1.0) came to our web-server, for him will be available two CipherSuites:
and if intruder can force our client to use CipherSuite with CBC then POODLE hello, no? (SSLv3 + CBC)
2. API Question
After scan we have got:
but if we use API for this web-server we have got:
As we have seen above, POODLE single vulnerability that downgrade to C.
But service didn't forget downgrade to C:
3. Future request.
I think for some administrators/organizations it`s still important to support guys with IE6.What about to write near "Fail" mini-instructions with tips when it will work (turn on TLS 1.0 in IE6, upgrade to other browses, now make banner for users with user-agent IE6 and so on)? Because this Administrators when see this think O___O and ran to turn on SSLv3 again I think that thanks to these tips, many finally shut down sslv3.
Thank you! and sorry for my bad English