When it comes to analyzing and debugging, we all have our favorite tools… For our SSL department, the CA Security Council SSL Labs test by Qualys is a true must have.
This excellent tool analyses the https installation based on a number of tests against known vulnerabilities and standards: the certificate, protocol support, key exchange and cypher strength…
Known vulnerabilities such as DROWN, BEAST, POODLE and Heartbleed are also tested extensively.
Sinc,e for the first time in 20 years, HTTPS is getting an advantage over classic http traffic – probably also a bit thanks to the forced “push” by Google among others, testing an SSL installation becomes a necessity, and the tool will become more strict as the market evolves.
From 2017 on, the following changes will be incorporated:
- 3DES: Because of the Sweet32 vulnerability enabled support for 3DES in modern browsers will get a C score.
- Forward Secrecy: since Edward Snowden announced several privacy related breached the industry decided to see forward secrecy as a requirement, if this is not enabled on the server, a score of B is the best you will get.
- AEAD Suites: authenticated communication is strongly advised and AEAD is the only suite having support for TLS 1.3. AEAD suites are required to get an A+ score!
- TLS Fallback: since the introduction of the POODLE vulnerability most browsers have made adjustments and TLS_FALLBACK_SCSV is no longer needed to get an A+ rating.
- Weak cyphers: all cyphers with less than 128 bits will get an F rating, without hesitation!
- RC4: Servers supporting RC4 will get a C capped score.
- SHA-1: Sites using an SHA-1 certificate will not be treated as secure and chances are (not confirmed yet) that they might get an F rating. We strongly suggest everyone to replace the SHA-1 certificate with a SHA-256 certificate!
The SSL Labs test helps us in refining an SSL certificate installation and will help you as website or server owner in following up whether your SSL installation is still “up to par” with the recommended strict HTTPS settings.
We always suggest everyone to frequently audit their SSL installation!
Start here to check your HTTPS installation: casecurity.ssllabs.com