AnsweredAssumed Answered

I think A is an inappropriate rating for sites with no downgrade prevention (e.g. HSTS and no HPKP)

Question asked by Anon Coward on Apr 10, 2018
Latest reply on Apr 10, 2018 by j-mailor

All government adverts in Australia publish the website name with no "https://" (TV, newspaper, mailouts, etc) - for example - "census.abs.gov.au" and "aec.gov.au" - both of which collect sensitive PII.  Literally millions of people access these sites using free wifi etc, thus affording them no protection whatsoever regardless of the cipher strength, since MitM attacker can strip all TLS at will.

 

I recommend that all websites using no downgrade protection at all (e.g. HSTS, HPKP) should have their ratings capped *below* an "A" - so those operators have the necessary incentive to *actually* protect their users.

 

Granting them a pretty green "A" basically means that they terminate their concentration on improving security at that point, because they've got the "A" that their manager expects. 

 

An "A" should not be so misleading - it should convey at least "best practice", and omitting downgrade protection is not it.

 

e.g. SSL Server Test: aec.gov.au (Powered by Qualys SSL Labs) 

Outcomes