AnsweredAssumed Answered

Criticality of SVSC and PFS in summary

Question asked by Bernd Eckenfels on Jan 8, 2015



in the protocol details section there are a few options which are YES/No but they are shown black, and some option are orange marked. Two of them include SCSV and Forward Secrecy. I wonder if we can have different colors/degree of "failed" in that report to make the analysis a bit better:


a) if FALLBACK_SCSV is not supported, but SSL3 is turned off it is not that critical. I can understand that you might want to support FALLBACK_SCSV anyway, but  since it is a draft and not pressuring, I would not mark it orange in this case? (maybe never make it orange as the specific poodle check will catch the problematic case anyway?). It would help to print the oldest protocol supported like and make it orange only for SSL3 (or at least not orange for TLSv1.2 only):


Downgrade attack prevention; No, TLS_FALLBACK_SCSV not supported (Minimum TLSv1.0)


b) there is (it seems) not visual difference in a server which does not negotiate (by default) with all reference browsers PFS as oposed to a server which does not support PFS at all. I would make this distinction as one server could still be used by security-minded people to do PFS while the other configuration would refuse it. What do you think is/should there be a difference in the summary text?


Forward Secrecy: No (WEAK)

Forward Secrecy: Not by Default (WEAK)