AnsweredAssumed Answered

Key Exchange

Question asked by Michael Peters on Sep 12, 2015

Right now it looks like the score for Key Exchange is based solely on the certificate.

 

I would change that so that with Certificate you get a 95% if you meet current best practices (2048 RSA / 256 ECDSA) and 100% if you exceed - with maybe a ding if your cert uses SHA1 instead of SHA256

 

And then I would use Key Exchange for actual Key Exchange regardless of certificate - taking into account forward secrecy and the strength of the forward secrecy, doing an average between strongest and weakest.

 

ECDHE with a good curve getting 100%

ECDHE with a mediocre curve getting 95%

ECDHE with a weak curve getting 90%

DHE with >= 4096 getting 90%

DHE with >= 2048 but < 4096 getting 80%

DHE with >= 1024 but < 2048 non-common getting 70%

DHE with >= 1024 but < 2048 common curve getting 60%

DHE < 1024 or no DHE getting 0

 

Obviously those numbers are flexible - but the idea being that the actual key exchange itself be scored, encouraging ECDHE and DHE with good DH Parameters and discouraging weak DH parameters and no forward secrecy.

 

The best and the worst get averaged. That would IMHO encourage robust forward secrecy, which is obtainable with every browser that in the test that is still vendor supported.

 

Thoughts?

Outcomes