Open rmjansen opened 1 year ago
Duplicate: #910, #863, #853, #815, #786, #711. TL;DR: since FALLBACK can’t be tested, you can’t get A+. That’s silly, but the devs never acknowledged this.
since FALLBACK can’t be tested, you can’t get A+. That’s silly, but the devs never acknowledged this.
it's especially silly since:
Scanning a site with TLS 1.3 as the minimum required version results in an A. Lowering the minimum required TLS version to 1.2 (with no other changes applied) results in an A+ for the same site. This suggests that the penalty for using outdated TLS versions and not supporting TLS 1.2 is also applied to sites that use TLS 1.3 but not support TLS 1.2.