Open selecadm opened 9 years ago
selecadm
commented
9 years ago Also true for sites configured like this:
https://www.ssllabs.com/ssltest/analyze.html?d=certcenter.com https://dev.ssllabs.com/ssltest/analyze.html?d=certcenter.com&hideResults=on
Mixed prioritization of ECDHE and RSA, "IE 11 / Win Phone 8.1" is still the only "reference" client failing.
martinsuchan
commented
9 years ago First of all WP8.1 without Update 1 could be probably removed from reference client list. The vast majority of phones is already updated to Update 1/Denim, even in US the majority of phones has it now.
Second, you can fix the problem on your side by moving ECDHE-AES-128 suites to the top. There are no real security issues with ECDHE-AES-128 suites.
selecadm
commented
9 years ago First of all WP8.1 without Update 1 could be probably removed from reference client list.
Yes, this issue is a request for this. I would also request unreferencing iOS 6 or even deleting it from the simulation. Its market share is literally 1%, and its TLS stack is so insecure that nobody can provide adequate security to it.
Second, you can fix the problem on your side by moving ECDHE-AES-128 suites to the top. There are no real security issues with ECDHE-AES-128 suites.
I have seen security consultants' and providers' sites with such a problem. I am fortunately smarter and don't force obsolete cryptography.
Of course, AES_128_GCM is the most secure cipher Firefox and Googlebot support, and all HTTPS sites MUST support it.
This is an unreference request for "IE 11 / Win Phone 8.1". Reference status prevents sites that support both RSA and ECDHE without prioritization from getting A grade. Such sites provide even more secure connections than those that prioritize AES_256_CBC over AES_128_GCM and get A+.