• Cloudbleed

    just for info https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
    created by Rob_T
  • PayPal Gets only B Grades

    I went to log in to PayPal and decided to test their servers' SSL quality. I was shocked to learn that both their servers only got a grade of B, future grade C. Any financial site of this magnitude should ob...
    Paco Hidalgo
    last modified by Paco Hidalgo
  • Thailand's first ever root CA, the first ever SHA-512 on the web!?

    Thailand National Root Certification Authority - G1, the first ever Thai root CA has recently made its way into the Windows Certificate Store resulting in IE/Edge and Chrome as well as plenty others relying on the sam...
  • .NET Framework

    Hello, In addition to the Java tests, could you please add lines for .NET 4.0 and .NET 4.6 ciphers? It'd be useful to know what will be negotiated with them, and whether I am breaking compatibility. Thanks! James
    James Bellinger
    last modified by James Bellinger
  • SHA-1 deprecation countdown

    fyr       MS: https://blogs.windows.com/msedgedev/2016/11/18/countdown-to-sha-1-deprecation Starting on February 14th, 2017, Microsoft Edge and Internet Explorer 11 will prevent sites that are prote...
    last modified by Rob_T
  • Testing Android x vs. Chrome on Android x

    Seeing Android 7.0 reduced the list of available curves to just prime256v1 I wonder how to test a server for compatibility considering the current client list in SSL Labs. As I understand, „Android 7.0&ldqu...
  • SSL test fails due to firewall rules on number of states per source IP

    Logging this more for reference rather than as a request, in case it can help others facing the same issue.   I was seeing my SSL tests fail at the 'Determining available cipher suites' step with an 'Assessment ...
    T M
    last modified by T M
  • Multiple Certificates, OCSP Stapling Result

    Now that nginx supports dual certificate configurations, I wonder how OCSP Stapling is supposed to work with it. Beside that I even more wonder how SSL Labs shows the test results. I’d expect a result based on e...
    Matthias Wächter
    last modified by Matthias Wächter
  • New Suites in Chrome

    Hi in Chrome  56.0.2906.0 (Android) i found in the ssl client hello some unknown id's and extensions. curve.id     43690 cipherSuite:     14906 exttension.Type     35...
    last modified by tlussnig
  • Apple blocks WoSign (maybe StartSSL too)

    Hi   should there be a warning on ssltest server test when wosign is detected ? https://support.apple.com/en-us/HT202858 https://support.apple.com/en-us/HT204132 StartSSL (which belongs to WoSign now, maybe i...
    last modified by Rob_T
  • Messages when site does not support HTTPS

    I've noticed that the error messages displayed by the server scan are not consistent when sites do not support HTTPS. E.g., Scanning blog.savemymeds.com yields "Assessment failed: No secure protocols supported" but bl...
    Anand Bhat
    last modified by Anand Bhat
  • X25519 key exchange issues

    Issues with X25519: https://dev.ssllabs.com/ssltest/analyze.html?d=x25519.crypto.report&s=2a03%3ab0c0%3a2%3ad0%3a0%3a0%3adf5%3a2001&latest Chrome 51 handshake simulation reports cipher suite TLS_ECDHE_RSA_WIT...
    Ilari Stenroth
    last modified by Ilari Stenroth
  • ENHANCEMENT REQUEST -- End-of-Life (EoL) web clients -- Please replace red text with grey text and devise a plan to warn users about supporting insecure web clients

    There are numerous end-of-life clients listed on the ssllabs tool for "compatibility". The tool really needs to mark these as grey text instead of red text. This is because red indicates a problem to the web serv...
    last modified by smaug
  • ENHANCEMENT REQUEST -- DROWN -- Please replace orange text with grey text

    When the DROWN check fails, due to no fault of the server operating running a secure website and because the Censys data is not always accurate or up to date, then you should mark the text as grey, not orange. Orange ...
    last modified by smaug
  • ECC Cert: Chain Issues?

    Hey there,   I recently started using both an ECC (comodo) and an RSA (geotrust wildcard) cert on www.isc.org, and what we're discovering is that the level of root cert adoption is wildly disparate.   Case...
    Dan Mahoney
    last modified by Dan Mahoney
  • Windows 7 (and 8.1) blocks RC4 now

    just for info...    beside Win 8.1/2012R2 (since August 2016 Updates) now also Windows 7/2008R2 (only when use IE11 !) blocks RC4 by befault since October 2016 Updates. https://github.com/ssllabs/ssllab...
    created by Rob_T
  • Mozilla:Phasing Out SHA-1 on the Public Web

    just for info... https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
    created by Rob_T
  • SSLLabs score for 3DES sites

    As you all may be aware of, 3DES is weak/vulnerable because of its relatively small block size (see: SWEET32). However, the server check still happily gives sites that only offer 3DES an A or A- while the security iss...
    Mark Straver
    last modified by Mark Straver
  • 3DES getting A- rating?

    I noticed that 3DES now is in fact considered weak with the latest info avaiable.   But websites that promote 3DES as the prefered encryption methode over AES128 and AES256 should not be able to get a A- rating....
    Hugo van der Kooij
    last modified by Hugo van der Kooij
  • User Agent Capabilities Listing for Firefox 49

    Since Firefox 49 added support for AES256-GCM it deserves its own entry in the User Agent Capabilities listing. Currently there is none on dev Qualys SSL Labs - Projects / User Agent Capabilities nor on official Qualy...
    Matthias Wächter
    last modified by Matthias Wächter