3 Replies Latest reply on Oct 20, 2014 8:29 PM by catdaddy

    Qualys SSL Report on community.mcafee.com

    Hayton

      Qualys SSL Labs - Projects / SSL Server Test / community.mcafee.com

       

      I ran this check once before, in 2011, but there have been many changes to the Community since then (including a change of Certificate Authority) so it was probably overdue for a re-run. In any case the previous Report is buried in a part of this maze that even I can't get into, so it's time to publish a new benchmark anyway.

       

      The Report gives this site a good, but not perfect, rating (that's an A-). One of the areas where points are lost is from use of the RC4 cipher with TLS; this is because RC4 is a fall-back cipher on account of problems found with other ciphers used in TLS.

      https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken- now-what

       

      One thing to watch is that the site certificate is using SHA1 (a hashing function), which Google and Microsoft will refuse to accept starting some time in 2016. Still, plenty of time to sort that out, I hope. Otherwise, we're pretty secure from everyone except the NSA, and if they want to know what's going on here they can sign up for a user account just like everyone else

      https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what -you-need-to-know

      http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

      http://googleonlinesecurity.blogspot.co.uk/2014/09/gradually-sunsetting-sha-1.ht ml

       

      One oddity from the report is that the site fails the test for XP and IE6. I know this OS/browser combination is outdated, superseded, unsupported and all that, but I believe there are still some (or even many) users who are stuck with those two dinosaurs. Since IE8 only goes up to TLS 1.0, and this site does not support SSL 2.0 or 3.0, I suspect that means anyone trying to connect to the site from XP/IE6 is going to have problems.

       

      On the plus side, this site does not support SSL at all, only TLS 1.0 and 1.2 - which means that the so-called POODLE attack can't happen here. Nor the BEAST attack either, come to that.

       

      For anyone interested in security this sort of report is a mine of information. I've seen a few other supposedly secure websites with a much lower rating than the McAfee Community gets, and this site isn't involved in taking orders or selling anything.

       

      For everyone else, there's probably a football match about to start somewhere on cable ....