Benjamin Brown

B Rating With SSLv3 + RC4, no TLS 1.2, and no TLS_FALLBACK_SCSV

Discussion created by Benjamin Brown on Apr 14, 2015
Latest reply on Apr 16, 2015 by j-mailor

An SSL Server Test scan resulting in SSLv3 + RC4, no TLS 1.2, and no TLS_FALLBACK_SCSV strikes me as warranting a 'C' rather than a 'B' rating. I propose heavier weighing of SSLv3 + RC4 (especially without downgrade protection) rather than just the two separately as it could easily lead one to believe that mitigation of POODLE(SSLv3) with RC4 is 'OK' despite the issues with RC4.

 

Thoughts?

 

Reference: SSL Server Test: supplementwarehouse.com (Powered by Qualys SSL Labs)

 

--

Benjamin Brown

Outcomes