Mark Straver

Suggestion for SSLLabs: Lower RC4 server score cap

Discussion created by Mark Straver on Mar 26, 2015

The SSLLabs server test currently caps servers offering RC4 to score "B".

 

With RFC7465 [1] on the standards track, and RC4 actively being phased out from browsers and other protocols like kerberos, following this RFC, this score cap seems very lenient.

 

On top, servers that offer only RC4 are going to be problematic and won't be able to connect and should get a lower score cap enforced on them. e.g. MSIE11 will not offer RC4 in its clienthello message anymore on first connect, and other browsers are going to drop (or have already dropped) support for RC4 completely in their default configuration.

 

Although I do understand that it will take time for deployments to be reconfigured, this is going to be a growing concern.

 

I would suggest that offering RC4 be capped to "C", and servers offering nothing but RC4 should simply be given an "F" at this point.

 

[1] RFC 7465 - Prohibiting RC4 Cipher Suites

Outcomes