gene1wood
commented
1 year ago @shetakeyourmoneyleaveupoor I'm not sure I understand, it looks like you've copy pasted something into this issue. Can you explain what the issue is that you're reporting?
Open shetakeyourmoneyleaveupoor opened 1 year ago
gene1wood
commented
1 year ago @shetakeyourmoneyleaveupoor I'm not sure I understand, it looks like you've copy pasted something into this issue. Can you explain what the issue is that you're reporting?
janbrasna
commented
7 months ago The OP is probably trying to point out that observatory.mozilla.org itself doesn't have very good grades in various testing tools other than observatory.mozilla.org itself (usually around B/B+ e. g. in ssllabs…)
From the pasted content, TL;DR: The tool used is just not right — the server:
So yea there's some old protocols and some weak ciphers but they are basically only negotiated when absolutely positively needed, otherwise even old TLS protocols negotiate quite good cipher suites. So you can only argue that no "must staple" is the only issue. (Don't know enough about EMS extension for FIPS mode, other than that's a breaking change for those who can't talk TLSv1.3…)
So while I'm not arguing against showing all green A++ in all the tools, I'd say these legacy protocols are intentionally supported here, as there's no real security risk from just using the tool.
Immuniweb.com test results for Mozilla Observatory see full results in link
https://www.immuniweb.com/ssl/observatory.mozilla.org/IepbUqru/
The key size (DH parameter) in the Diffie-Hellman key exchange method is set to 1024 bits. A longer value of at least 2048 bits is required to prevent Logjam vulnerability. Non-compliant with PCI DSS requirements
SERVER DOES NOT SUPPORT OCSP STAPLING The server is not configured to support OCSP stapling for its RSA certificate that allows better verification of the certificate validation status. Reconfigure or upgrade your web server to enable OCSP stapling. Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT OCSP STAPLING The server is not configured to support OCSP stapling for its RSA certificate that allows better verification of the certificate validation status. Reconfigure or upgrade your web server to enable OCSP stapling. Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT EXTENDED MASTER SECRET The server does not support Extended Master Secret (EMS) extension for TLS versions ≤1.2. EMS provides additional security to SSL sessions and prevents certain MitM attacks. Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT TLSv1.3 Consider enabling support of TLSv1.3 protocol that is considered to be the most secure and stable version of TLS protocol. Misconfiguration or weakness
SERVER DOES NOT HAVE CIPHER PREFERENCE i The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected. Misconfiguration or weakness
SERVER SUPPORTS CLIENT-INITIATED SECURE RENEGOTIATION i The server supports a client-initiated secure renegotiation that may be unsafe and allow Denial of Service attacks. Misconfiguration or weakness
SSL labs Tests for Mozilla Observatory
https://www.ssllabs.com/ssltest/analyze.html?d=observatory.mozilla.org&s=52.72.226.152&hideResults=on&ignoreMismatch=on
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
Other issues are listed in report in the link above.