cancel
Showing results for 
Search instead for 
Did you mean: 
Hayton
Level 17

Qualys SSL Report on community.mcafee.com

Qualys SSL Labs - Projects / SSL Server Test / community.mcafee.com

I ran this check once before, in 2011, but there have been many changes to the Community since then (including a change of Certificate Authority) so it was probably overdue for a re-run. In any case the previous Report is buried in a part of this maze that even I can't get into, so it's time to publish a new benchmark anyway.

The Report gives this site a good, but not perfect, rating (that's an A-). One of the areas where points are lost is from use of the RC4 cipher with TLS; this is because RC4 is a fall-back cipher on account of problems found with other ciphers used in TLS.

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

One thing to watch is that the site certificate is using SHA1 (a hashing function), which Google and Microsoft will refuse to accept starting some time in 2016. Still, plenty of time to sort that out, I hope. Otherwise, we're pretty secure from everyone except the NSA, and if they want to know what's going on here they can sign up for a user account just like everyone else

https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know

http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.html

One oddity from the report is that the site fails the test for XP and IE6. I know this OS/browser combination is outdated, superseded, unsupported and all that, but I believe there are still some (or even many) users who are stuck with those two dinosaurs. Since IE8 only goes up to TLS 1.0, and this site does not support SSL 2.0 or 3.0, I suspect that means anyone trying to connect to the site from XP/IE6 is going to have problems.

On the plus side, this site does not support SSL at all, only TLS 1.0 and 1.2 - which means that the so-called POODLE attack can't happen here. Nor the BEAST attack either, come to that.

For anyone interested in security this sort of report is a mine of information. I've seen a few other supposedly secure websites with a much lower rating than the McAfee Community gets, and this site isn't involved in taking orders or selling anything.

For everyone else, there's probably a football match about to start somewhere on cable ....

3 Replies
catdaddy
Level 20

Re: Qualys SSL Report on community.mcafee.com

Very informative information.....Thanks

As for Football Games, this time of the morning would be Re-Aired

Have you read the latest on Cisco/Web Ex online meetings?

Who’s Watching Your WebEx? — Krebs on Security

Cliff
McAfee Volunteer
0 Kudos
Hayton
Level 17

Re: Qualys SSL Report on community.mcafee.com


catdaddy wrote:



Have you read the latest on Cisco/Web Ex online meetings?


Who’s Watching Your WebEx? — Krebs on Security


I saw the article and checked the settings on McAfee WebEx. As far as I could see there are two lesser vulnerabilities in the way the calls are set up but the McAfee section isn't making any confidential information visible to outsiders. I sent an email to some of the others to alert them but it's not a major issue.

0 Kudos
catdaddy
Level 20

Re: Qualys SSL Report on community.mcafee.com

Thanks Hayton...That is good to know.

Cliff
McAfee Volunteer
0 Kudos