
SSL Report: duckduckgo.com  - cinquemb
https://www.ssllabs.com/ssltest/analyze.html?d=duckduckgo.com&s=50.18.192.251
======
olympus
Can someone provide commentary on what this means for those of us who aren't
knowledgable about SSL/secure web traffic stuff? Is an A rating really good (I
presume it is), or is it one of those things that you aren't really good
unless you get an A+? What does 'RC4 yes PROBLEMATIC' mean and is that a
vulnerability with any real world significance?

edit: Or is this about the fact that it supports forward secrecy?

~~~
Mithrandir
They just enabled forward secrecy today:
[https://twitter.com/duckduckgo/status/349948709418696706](https://twitter.com/duckduckgo/status/349948709418696706)

This link has a nice rundown of why RC4 is no longer recommended for SSL/TLS:
[http://blog.cryptographyengineering.com/2013/03/attack-of-
we...](http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-
kind-of-broken-in.html)

Basically:

"According to AlFardan, Bernstein, Paterson, Poettering and Schuldt (a team
from Royal Holloway, Eindhoven and UIC) the RC4 ciphersuite used in SSL/TLS is
broken. If you choose to use it -- as do a ridiculous number of major sites,
including Google -- then it may be possible for a dedicated attacker to
recover your authentication cookies. The current attack is just on the edge of
feasibility, and could probably be improved for specific applications."

~~~
jmillikin
A frustrating problem with ssllabs.com and RC4 is that it appears there is no
way to achieve a 100% score. Sites are penalized for supporting RC4 if RC4 is
placed above AES-CBC, and penalized as being vulnerable to BEAST if AES-CBC is
placed above RC4. If CBC and RC4 are both disabled then no major browser can
successfully negotiate a cipher.

The BEAST penalty applies even if the preferred AES-CBC ciphers are defined by
TLSv1.2 and thus shouldn't be vulnerable to BEAST.

[https://www.ssllabs.com/ssltest/analyze.html?d=john-
millikin...](https://www.ssllabs.com/ssltest/analyze.html?d=john-millikin.com)

~~~
ivanr
It is actually possible to achieve 100%, but you have to run only TLS 1.2,
IIRC. But that would also make your web site inaccessible to most users.

But don't blame us, that's just the current situation with SSL/TLS. We're only
reporting it. BTW, we used to show scores in the result, but too many people
were trying to game the system (rather than be reasonable). As a result, we're
showing only the grades now. In the future, the numerical scoring will be
probably removed completely (switching to rule-based scoring).

As for BEAST, our test tests SSL 3.0 and TLS 1.0 specifically, but not TLS
1.1+. So, the way to go with BEAST is to force RC4 with TLS 1.0 and earlier,
some CBC suite with TLS 1.1, and GCM suites with TLS 1.2.

~~~
jmillikin

      > So, the way to go with BEAST is to force RC4 with TLS
      > 1.0 and earlier, some CBC suite with TLS 1.1, and GCM
      > suites with TLS 1.2.
    

Since most browsers now include mitigations for BEAST, don't you think that
the proven insecurity of RC4 is more dangerous to users than BEAST?

~~~
ivanr
Both (BEAST and RC4) are proven to be real. The only question is which is
worse, and if the attacks are practical. In my view, both are equally unlikely
to be a threat for an average web site.

I'd love to get rid of the BEAST penalty, but there are no good (high-volume)
stats on what percentage of "all" users is vulnerable to the BEAST attack.
Because Apple is not yet deploying 1/n-1 in their browsers, the vulnerable
BEAST percentage is still quite high. On SSL Labs, about 15%.

Given that attacks against RC4 are not very practical (yet), one possible
direction is to focus on supporting TLS 1.2 (without RC4, obviously), at which
point both RC4 and BEAST attacks will become irrelevant.

~~~
nknighthb
> _I 'd love to get rid of the BEAST penalty_

Please don't. The more attention is paid to it, the more ammo I have in
pressuring the manufacturers of certain embedded systems I'm stuck dealing
with to upgrade their ancient browser codebases.

~~~
tetrep
What's wrong with IE6?

~~~
nknighthb
Believe it or not, IE6 would actually be a major @#!%ing improvement in one or
two cases. At least we'd already know how to work around much of its
braindamage.

------
skorgu
For nginx 1.1.19-1ubuntu0.2 on Ubuntu 12.04 the following config line will get
you that green 'yes' for perfect forward secrecy:

ssl_ciphers ECDHE-RSA-RC4-SHA:ECDHE-RSA-
AES128-SHA:RC4:HIGH:!aNULL:!MD5:-LOW:-SSLv2:-EXP;

You can test with a pair of terminals before you go bouncing your server (via
[0]):

openssl s_server -accept 8888 -cert mywebsite.com.pem -pass stdin -cipher
ECDHE-RSA-RC4-SHA <hit enter a few times>

openssl s_client -connect 127.0.0.1:8888 -cipher ECDHE-RSA-RC4-SHA

I don't know what the proper way to get rid of RC4 is.

[0] [http://baudehlo.wordpress.com/2013/06/24/setting-up-
perfect-...](http://baudehlo.wordpress.com/2013/06/24/setting-up-perfect-
forward-secrecy-for-nginx-or-stud/)

------
signed0
Is this trying to show that Duck Duck Go just enabled PFS (perfect forward
secrecy)?

~~~
shdon
Yes, pretty much.

~~~
lucb1e
Trying my own domain, it says the same. I never touched anything. Are they
sure this is working?

~~~
nknighthb
It's working. "Perfect forward secrecy" is not a specific feature you turn on,
it's actually an implicit consequence of certain ways key exchange can be
implemented.

Chrome says, for the blog mentioned in your profile:

"The connection is encrypted using AES_256_CBC, with SHA1 for message
authentication and ECDHE_RSA as the key exchange mechanism."

"ECDHE" means elliptic curve Diffie-Hellman exchange. This means your server,
whatever it is, is configured to support perfect forward secrecy. If you're
running your own server, you're probably using some recent distribution or
Apache release that defaults to enabling ECDHE. Otherwise, your host may have
done such configuration themselves.

~~~
lucb1e
Okay, thanks for all the info! It's indeed about my blog, and I host it myself
on a fairly recent version of Apache.

------
peterwwillis
Sad: login.yahoo.com [1] gets a B grade due to Client-Initiated Renegotiation,
BEAST, CRIME, RC4 and disabled session resumption. Even login.live.com [2]
isn't that bad.

[1]
[https://www.ssllabs.com/ssltest/analyze.html?d=login.yahoo.c...](https://www.ssllabs.com/ssltest/analyze.html?d=login.yahoo.com&s=209.191.122.42&hideResults=on)
[2]
[https://www.ssllabs.com/ssltest/analyze.html?d=login.live.co...](https://www.ssllabs.com/ssltest/analyze.html?d=login.live.com&s=131.253.61.82&hideResults=on)

------
geal
It's nice to see that they have a sane configuration (even though they should
disable RC4 nowadays). They should implement HSTS, though. It is very easy to
do (just a HTTP header to set).

~~~
jaryd
Thanks for pointing this out -- we're implementing this now.

------
RyanMcGreal
+1 for ssllabs.com. Nice resource.

------
jsonau
Cool tool.

A bit ironic:
[https://www.ssllabs.com/ssltest/analyze.html?d=ssllabs.com](https://www.ssllabs.com/ssltest/analyze.html?d=ssllabs.com)

~~~
makomk
Not particularly. If you read further down, they've marked themselves down
because they intentionally disabled protection against the BEAST attack, in
order to collect some kind of stats on vulnerable clients.

~~~
ivanr
That's right. Good stats on BEAST are difficult to come by, so we're running a
passive handshake analyzer[1] on our site in order to determine what amount of
our clients support the 1/n-1 split. The last time I looked, about 15% of the
browsers we see are still vulnerable to this problem.

[1] For the curious, have a look at
[https://github.com/ssllabs/sslhaf](https://github.com/ssllabs/sslhaf) The
0.1.x branch is the stable one; master is moving from an Apache module toward
a portable library.

------
mikegioia
The funny thing is that SSLLabs' own site throws an "Error code:
ssl_error_no_cypher_overlap" when RC4 is disabled in the browser. Apparently
they don't support browsers that only accept strong ciphers. This is
especially odd because they advise against using RC4.

~~~
ivanr
You are not going to get a failed connection if you only disable RC4. I
suspect you've been too strict with the suites on your end.

------
avtar
_" Wildcard certificates are generally best avoided. Although they are not any
less secure from a strict tech- nical point of view, the way in which they are
typically handled (especially in larger organizations) makes them less secure
in practice."_
[https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Pr...](https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.2.pdf)

I'm curious about this. Could someone please comment on "the way in which they
are typically handled makes them less secure in practice" concern?

~~~
ivanr
[I wrote that document.] With wildcard certificates, the main danger is that
multiple groups with the organization will have access to the same private
keys. The larger the group the worse the security gets: the chances of the
private key leaking are higher, and the people from different groups
effectively gain undetectable MITM capabilities against all other systems. The
same goes for the intruder, who will gain access to everything after
compromising a single system. From that perspective, it's much better to use
separate certificates and keys, and compartmentalize everything.

Then, you are supposed to rotate your keys when someone leaves, or if there is
a compromise. Revoking a shared private key is nearly impossible if it is used
in multiple systems. People get really afraid of breaking stuff, and if they
do, it takes them ages to fix everything.

------
znowi
Quick response. Request for PFS appeared on the duck forum only yesterday.

[https://duck.co/topic/duckduckgo-ssl-not-secure-
enough](https://duck.co/topic/duckduckgo-ssl-not-secure-enough)

------
martindale
Interestingly, Stanford's Applied Crypto Lab scores an "F" with this test:
[https://www.ssllabs.com/ssltest/analyze.html?d=crypto.stanfo...](https://www.ssllabs.com/ssltest/analyze.html?d=crypto.stanford.edu)

------
hiroprot
On a related note, running this against google.com shows that they support
Forward Secrecy as well.

------
TallboyOne
So.. I got an "A" rating but not 100% in all categories. Is there any way I
can improve on this (nginx)?

I have a lot of users with older browsers so that's really important, not sure
if that matters.

ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-
SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;

~~~
ivanr
It's really impossible to give you a concise answer, because there are many
details to take care of. My advice is to download the SSL/TLS Deployment Best
Practices guide:

    
    
        https://www.ssllabs.com/projects/best-practices/
    

which covers virtually everything you need to know on this topic.

------
aray
Why don't they support TLS 1.2?

