AnsweredAssumed Answered

Should plaintext websites really get an A grade?

Question asked by sampablokuper on Jul 8, 2017
Latest reply on Jul 8, 2017 by j-mailor

https://www.hive.co.uk currently redirects to http://www.hive.co.uk , so I was surprised to see that this domain gets an A rating: SSL Server Test: hive.co.uk (Powered by Qualys SSL Labs)  .

 

Why was I surprised? Because the TLS implementation at https://www.hive.co.uk may be technically excellent in other respects, but it is for naught if the server simply redirects the client to an insecure protocol. (In a situation like this, the server is effectively performing a downgrade attack!)

 

The only apparent warning about this on the SSLLabs report is this line, almost at the bottom of the page:

 

HTTP forwarding     http://www.hive.co.uk   PLAINTEXT

 

I feel that:

 

- The A grade is misleading in a case like this, because it gives the (false) impression that a visitor to that website will get a good HTTPS connection.

- The tiny warning about HTTP forwarding, marked only in orange (not red), and buried as it is at the bottom of the page, fails to convey the severity of the issue.

- It would be more appropriate to give an F grade to sites that redirect users to plaintext without recourse.

 

Please could the SSL Server Rating Guide be amended accordingly? Alternatively, if there are good reasons why my suggestion is a bad idea, please could you explain why?

 

Thanks!

Outcomes