AnsweredAssumed Answered

Qualys browser security ratings?

Question asked by Michał Staruch on Jun 29, 2015
Latest reply on Jun 29, 2015 by Michał Staruch

I've notice recently that some modern-wannabe browsers still struggle with supporting strong crypto. They're often missing support for 256-bit AEAD ciphers (AES-256-GCM, ChaCha20-Poly1305), MACs like HMAC-SHA-256 and HMAC-SHA-384, they're accepting DH param below 1024 in case of DHE (Logjam), or missing support non-NSA curves (Curve25519, P-521) in case of ECDHE.

 

I've tried to connect with a few browsers to a server with FS-only cipher suites, strong key exchange parameters and 4x100 score in Qualys SSL Server Test (available here: https://thundr.eu/), and only about half of the popular browsers were able to establish connection.

Working: IE11 (Windows 8.1), Safari 8 (OS X 10.10), Links 2.8 (Debian 8.1), BlackBerry 10.3.1 built-in browser.

Not working: Firefox 38 (Windows 8.1), Chrome 43 (Windows 8.1), Android 5.1.1 built-in browser.

 

Increasing public visibility of strong crypto state in browsers could speed-up the process of strong crypto adoption. Something like security ratings project under Qualys banner could help the case. What's your opinion on that?

Outcomes