AnsweredAssumed Answered

suggestions to update the scores

Question asked by Rob_T on Mar 6, 2015
Latest reply on Mar 9, 2015 by Rob_T

Hi All


I collected some ideas and like to suggest them to raise the level to get better score.


Please discuss and vote.


1) RC4, due dead by RFC now and Blackhat will show some new attack against RC4

As already suggested in other Thread, RC4 should be worse than "B"
so e.g
RC4 only server = F
RC4 top prio = D or E (this score never was used ?)  F maybe to much cause top prio could be avoided by "RC4 only as a fallback Browsers like IE 11/W8)
RC4 elsewhere = C
maybe B if RC4 lowest prio but i do not prefer that


2) no FS for Ref. Browsers should be not better than B not (currenly A-)
There should be no more excuse on these days anymore not to provide FS by Servers.


3) Export 56bit should be "insecure" not "weak". (dev currently mark only 40bit as unsecure)
4) 3DES 112bit should be "weak" not normal (yellow) cause below the minimum suggested 128bit
5) there is also a score issue Raiting Guide says:


Table 5. Cipher strength rating guide

Cipher strength Score

0 bits (no encryption) 0%

< 128 bits (e.g., 40, 56) 20%

< 256 bits (e.g., 128, 168) 80%

>= 256 bits (e.g., 256) 100%

But Server with 3DES + 256 get 80% so 112 is scored as 128bit
Maybe 112 should get e.g 40% or 60% ? Otherwise Rating G. should be update to clarify the score for 112bit anyway.


6) (EC)DHE 128 GCM  should be scored like 256 CBC  ?


Less important:

If so (6) than as well 256 CBC and GCM maybe mark green (if keyexchange also good) while other 128 bit stay black/normal ?

8) remove TLS Fallback SVC needed for A+ when most Browsers can do such without this Server function
(afaik FF 37 will add such Firefox — Beta Notes (37.0beta) — Mozilla  Disabled insecure TLS version fallback for site security)
Especially cause TLS_FALLBACK_SCSV have no final RFC yet