jjlin

Capping ratings for sites that can't negotiate AES-GCM with all capable browsers

Discussion created by jjlin on Oct 21, 2015
Latest reply on Nov 3, 2015 by Lily Wilson

Hi, I've noticed that it's possible for the SSL Server Test tool to assign an A+ rating to sites that only support AES_256_GCM (but not AES_128_GCM) ciphersuites. I suggest capping the rating for such sites at A- or less, since both Firefox and Chrome do not support AES_256_GCM, and will consequently negotiate something else instead (often AES_256_CBC). I assume these site operators think that by only supporting AES_256_GCM, they're enhancing security for their visitors, but this is really not the case, and I think that assigning a high overall rating provides false validation for such reasoning.

Outcomes