Can someone provide commentary on what this means for those of us who aren't knowledgable about SSL/secure web traffic stuff? Is an A rating really good (I presume it is), or is it one of those things that you aren't really good unless you get an A+? What does 'RC4 yes PROBLEMATIC' mean and is that a vulnerability with any real world significance?
edit: Or is this about the fact that it supports forward secrecy?
"According to AlFardan, Bernstein, Paterson, Poettering and Schuldt (a team from Royal Holloway, Eindhoven and UIC) the RC4 ciphersuite used in SSL/TLS is broken. If you choose to use it -- as do a ridiculous number of major sites, including Google -- then it may be possible for a dedicated attacker to recover your authentication cookies. The current attack is just on the edge of feasibility, and could probably be improved for specific applications."
A frustrating problem with ssllabs.com and RC4 is that it appears there is no way to achieve a 100% score. Sites are penalized for supporting RC4 if RC4 is placed above AES-CBC, and penalized as being vulnerable to BEAST if AES-CBC is placed above RC4. If CBC and RC4 are both disabled then no major browser can successfully negotiate a cipher.
The BEAST penalty applies even if the preferred AES-CBC ciphers are defined by TLSv1.2 and thus shouldn't be vulnerable to BEAST.
It is actually possible to achieve 100%, but you have to run only TLS 1.2, IIRC. But that would also make your web site inaccessible to most users.
But don't blame us, that's just the current situation with SSL/TLS. We're only reporting it. BTW, we used to show scores in the result, but too many people were trying to game the system (rather than be reasonable). As a result, we're showing only the grades now. In the future, the numerical scoring will be probably removed completely (switching to rule-based scoring).
As for BEAST, our test tests SSL 3.0 and TLS 1.0 specifically, but not TLS 1.1+. So, the way to go with BEAST is to force RC4 with TLS 1.0 and earlier, some CBC suite with TLS 1.1, and GCM suites with TLS 1.2.
Both (BEAST and RC4) are proven to be real. The only question is which is worse, and if the attacks are practical. In my view, both are equally unlikely to be a threat for an average web site.
I'd love to get rid of the BEAST penalty, but there are no good (high-volume) stats on what percentage of "all" users is vulnerable to the BEAST attack. Because Apple is not yet deploying 1/n-1 in their browsers, the vulnerable BEAST percentage is still quite high. On SSL Labs, about 15%.
Given that attacks against RC4 are not very practical (yet), one possible direction is to focus on supporting TLS 1.2 (without RC4, obviously), at which point both RC4 and BEAST attacks will become irrelevant.
Please don't. The more attention is paid to it, the more ammo I have in pressuring the manufacturers of certain embedded systems I'm stuck dealing with to upgrade their ancient browser codebases.
Believe it or not, IE6 would actually be a major @#!%ing improvement in one or two cases. At least we'd already know how to work around much of its braindamage.
Yes, it's possible. OpenSSL does not allow for per-protocol tuning, but there are some tricks you can use to achieve the same effect. In particular, GCM suites and SHA256/SHA384 suites work only in TLS 1.2, so if you put those first you are effectively prioritizing them on per protocol-basis.
This is from an example that's not related to PFS, so some tuning may be needed. The example is from my (free) OpenSSL Cookbook, which you can get from here:
You are required to register in order to get the book (because the book is not just the PDF). If you don't want to receive any email from me, after you log in, go to the Settings section and unsubscribe from the marketing list.
In general, I don't think the protocol specifications call for some suites to be allowed with certain protocol and some not to. (There are some exceptions, when weak suites need to be deprecated.) In practice, it comes down to how library developers have implemented them. For example, in OpenSSL, you have SSL v2 suites, TLS 1.2 suites, and >= SSL v3 suites. I don't think there are any TLS 1.1-only suites.
> But that would also make your web site inaccessible to most users.
I call this a feature and part of the sad state of the web. In other words i think that is a point they would like to illustrate. I dont think a 100% score should be possible if it isnt technically correct. Poor compatibility on the browser end isnt really their problem and certinly shouldn't limit scoring.
It's hard to believe that anyone could play with that attack (Bernstein/Paterson is a refinement of an older variant) and come away being OK with using RC4.
Adam Langley suggested on HN a few months ago that he was more comfortable with RC4 than with AES-CBC, which TLS unfortunately (due to its '90s heritage) specified in a MAC-then-encrypt construction that leaks timing, but the RC4 attack is scarily simple. Both attacks are extremely noisy, though; with what we understand about the flaws now, you'd surely notice if either attack was being directed at you.
I don't know what is or isn't public about the BEAST demo, but stand by my original point regarding the (unrelated) Lucky 13 and RC4 attacks. The RC4 attack takes, like, a day to run.
[SSL Labs author here.] At this point, the A rating is the minimum you should expect. But, to have a really good configuration, you really ought to also implement 1) HTTP String Transport Security, 2) Forward Secrecy, and 3) Public Key Pinning (not yet quite feasible, but it's getting closer).
The next step for SSL Labs is to start to reward sites when these additional features are deployed.
It'd be nice if they supported TLS 1.1, the CBC ciphers are not supposed to be vulnerable there and they could drop RC4. TBH I wouldn't use RC4 at all these days...
Unfortunately Firefox doesn't yet have TLS 1.1 enabled (apparently you can manually enable it in about:config in recent versions), but Chromium does.
TLS 1.2 would also give them GCM, but AFAICT the only browser that supports that on Linux is Konqueror.
It's working. "Perfect forward secrecy" is not a specific feature you turn on, it's actually an implicit consequence of certain ways key exchange can be implemented.
Chrome says, for the blog mentioned in your profile:
"The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism."
"ECDHE" means elliptic curve Diffie-Hellman exchange. This means your server, whatever it is, is configured to support perfect forward secrecy. If you're running your own server, you're probably using some recent distribution or Apache release that defaults to enabling ECDHE. Otherwise, your host may have done such configuration themselves.
Sad: login.yahoo.com [1] gets a B grade due to Client-Initiated Renegotiation, BEAST, CRIME, RC4 and disabled session resumption. Even login.live.com [2] isn't that bad.
It's nice to see that they have a sane configuration (even though they should disable RC4 nowadays).
They should implement HSTS, though. It is very easy to do (just a HTTP header to set).
Not particularly. If you read further down, they've marked themselves down because they intentionally disabled protection against the BEAST attack, in order to collect some kind of stats on vulnerable clients.
That's right. Good stats on BEAST are difficult to come by, so we're running a passive handshake analyzer[1] on our site in order to determine what amount of our clients support the 1/n-1 split. The last time I looked, about 15% of the browsers we see are still vulnerable to this problem.
[1] For the curious, have a look at https://github.com/ssllabs/sslhaf The 0.1.x branch is the stable one; master is moving from an Apache module toward a portable library.
The funny thing is that SSLLabs' own site throws an "Error code: ssl_error_no_cypher_overlap" when RC4 is disabled in the browser. Apparently they don't support browsers that only accept strong ciphers. This is especially odd because they advise against using RC4.
"Wildcard certificates are generally best avoided. Although they are not any less secure from a strict tech- nical point of view, the way in which they are typically handled (especially in larger organizations) makes them less secure in practice."https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Pr...
I'm curious about this. Could someone please comment on "the way in which they are typically handled makes them less secure in practice" concern?
[I wrote that document.] With wildcard certificates, the main danger is that multiple groups with the organization will have access to the same private keys. The larger the group the worse the security gets: the chances of the private key leaking are higher, and the people from different groups effectively gain undetectable MITM capabilities against all other systems. The same goes for the intruder, who will gain access to everything after compromising a single system. From that perspective, it's much better to use separate certificates and keys, and compartmentalize everything.
Then, you are supposed to rotate your keys when someone leaves, or if there is a compromise. Revoking a shared private key is nearly impossible if it is used in multiple systems. People get really afraid of breaking stuff, and if they do, it takes them ages to fix everything.
It's really impossible to give you a concise answer, because there are many details to take care of. My advice is to download the SSL/TLS Deployment Best Practices guide:
https://www.ssllabs.com/projects/best-practices/
which covers virtually everything you need to know on this topic.
edit: Or is this about the fact that it supports forward secrecy?