TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite inconsistent scoring

[warp16]

Excellent add-on, found one problem, this one cipher suite is scored 9.0 on some sites (example weakdh.org) and 10.0 on others (example usaa.com.) Is there a difference I'm not seeing?

[warp16]

I think it might be because the first site doesn't have an EV cert, but shouldn't that affect only the primary site score and not the score of the individual cipher suites?

[welwood08]

I've not been using this addon long, but as I understand it the scores shown in the images above relate to the bold domain's overall score and just happen to be positioned near to the cipher suite the domain uses.

[warp16]

That would explain it. In that case, perhaps that score should be moved to the left of the domain name instead of the cipher suite, and a separate score added specifically to reflect the quality of the cipher suite in use.

[sibiantony]

@welwood08 is right. The scores are the overall ratings, and not just for the ciphersuite. The ratings also include EV-cert, Firefox connection status etc (which is inherited from the top domain). You can find some details here : https://github.com/sibiantony/ssleuth/wiki/Domain-Requests In future, I hope to remove EV-cert rating/connection status rating for calculating this score.

[warp16]

Thanks for the clarification.

[bickelj]

Since firefox already gives great feedback on Bad connection or on an invalid certificate, I have found these settings to work great and provide the type of discrimination I'm looking for: Cipher suite: 1.0 Forward secrecy: 1.0 Extended validation: 0.0 Connection status: 0.0 Certificate state: 0.0 Signature algorithm: 1.0

Also, leaving the Cipher suite scoring at defaults.

If you visit a site with no forward secrecy, you will notice. If you visit a site with non-sha2 certificate, you will notice.