https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported

Earlier this week we released SSL Labs 1.17.10, whose main purpose was to increase the penalty when RC4 is used with modern protocols (i.e., TLS 1.1 and TLS 1.2). We had announced this change some time ago, and then put in place on May 20. The same release introduced another change, which was to increase the penalty for servers that don't support TLS 1.2 from B to C. And it seems that this second change is being somewhat controversial, with many asking us to better explain why we did that.

Although what initially prompted us to think about changing the grading for not supporting TLS 1.2 was grade harmonisation (ensuring that a wide range of servers all get grades that make sense -- in other words, to have better-configured servers have better grades), that doesn't change the fact that the reality is that TLS 1.0 is an obsolete security protocol. TLS 1.0 came out in 1999, followed by TLS 1.1 in 2003 and TLS 1.2 in 2008. These new protocol versions were released for a reason -- to address security issues with earlier protocol versions. But, despite being obsolete, TLS 1.0 continues to be the best supported protocol version on many servers. It's not very bad, mind you -- we know from SSL Pulse that about 60% of servers already support TLS 1.2. Client-side, the situation is probably better, because modern browsers have supported TLS 1.2 since 2013. You could say that, overall server configuration is the weaker link.

In that light, we feel that the increase of the penalty for the lack of TLS 1.2 is the natural next step in the deprecation of TLS 1.0. In fact, SSL Labs is probably late in doing that. Just last month, the PCI Security Council deprecated SSL v3 and TLS 1.0 for commercial transactions. No new systems are allowed to use TLS 1.0 for credit card processing and existing systems must immediately begin to transition to better protocols. In comparison, the SSL Labs change of grading is only a mild nudge in the right direction. And, while some people are not happy that we're pushing for TLS 1.2, others are complaining that we're not doing enough. For example, the Chrome browser has been warning about lack of TLS 1.2 and authenticated (GCM) suites for some time now. Clearly, it's difficult to make everyone happy.

The bottom line is that TLS 1.0 is insecure and we must migrate away from it. In 2011, there came the BEAST attack, and, in 2013, the Lucky 13 attack. TLS 1.0 remains vulnerable to this problems, but TLS 1.2 (with authenticated suites) isn't. These attacks are serious and some organisations continue to use RC4 in combination with TLS 1.0 just to be sure that they are mitigated. We understand that many organisations face significant challenges adding support TLS 1.2, but that is unavoidable. In computer technology, and in security in particular, it is often necessary to keep running just to stay in place.

We did get one thing wrong, however -- we didn't communicate our grading changes in advance. It was not our intention to surprise anyone. In fact, we'd prefer much more if changes were smoother. To that end, in the future we'll be announcing all grading changes with at least one month notice, and hopefully more for some more significant changes.

SSL Labs: Increased Penalty When TLS 1.2 Is Not Supported的更多相关文章

  1. 在 Qualys SSL Labs SSL 测试中获得 A+ 评级的秘技 2021 版

    本系列文章将阐述主流应用交付控制器和主流 Web 服务器如何运行 HTTP/2 和 TLSv1.3 协议,以及如何在 SSL Test 中获得 A+ 评级. 请访问原文链接:https://sysin ...

  2. 全球知名的HTTPS网站检测工具-Qualys SSL Labs

    推荐一个在线版全球知名的HTTPS网站检测工具-Qualys SSL Labs.Qualys SSL Labs同时也是很具有影响力的SSL安全和性能研究机构. SSL Labs会对HTTPS网站的证书 ...

  3. Help for enable SSL 3.0 and disable TLS 1.0..

    https://support.mozilla.org/en-US/questions/967266 i cant find tab Encryption for enable SSL 3.0 and ...

  4. 记录启用HTTPS的全过程

    因为 https 采用 ssl 加密,所以部署 https 时需要申请证书,证书的作用就是对浏览器和Web服务器双方的身份验证. 步骤1:申请证书 我们采用Let's Encrypt签发的免费证书,虽 ...

  5. SSL/TLS 握手优化详解

    随着 HTTP/2 的逐渐普及,以及国内网络环境越来越糟糕(运营商劫持和篡改),HTTPS 已经开始成为主流.HTTPS 在 TCP 和 HTTP 之间增加了 TLS(Transport Layer ...

  6. SSL/TLS原理详解2

    引用原文地址:https://segmentfault.com/a/1190000004985253#articleHeader6 在进行 HTTP 通信时,信息可能会监听.服务器或客户端身份伪装等安 ...

  7. SSL/TLS 加密新纪元 - Let's Encrypt

    转自: https://linux.cn/article-6565-1.html SSL/TLS 加密新纪元 - Let's Encrypt 根据 Let's Encrypt 官方博客消息,Let's ...

  8. SSL/TLS 高强度加密: 常见问题解答

    关于这个模块 mod_ssl 简史 mod_ssl会受到Wassenaar Arrangement(瓦森纳协议)的影响吗? mod_ssl 简史 mod_ssl v1 最早在1998年4月由Ralf ...

  9. SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程

    相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868.shtml http://www.gxu.edu.cn/college ...

随机推荐

  1. php 中 ?? 和 empty 的 区别

    left??right  操作符...当 left 为空时 返回 right ..注意 和 empty 相比 ,空字符,0,'0' 都会返回它本身,而不是 右边的..也就是 当且仅当 没有设置变量或者 ...

  2. C++_对象之间的关系与继承

    派生类和基类之间的特殊关系是基于C++继承的底层模型的. 实际上,C++有3种继承方式:公有继承.保护继承.私有继承. 公有继承是最常见的关系,它建立一种is-a的关系,即派生类对象也是一种基类,可以 ...

  3. Luogu P1503 鬼子进村 set

    还是拿set搞... 用set记录每个被摧毁的位置,Q的时候二分一下,在和上一个摧毁的位置减一下,即可求出能到的房子数 #include<iostream> #include<cst ...

  4. P5019 铺设道路 (NOIP2018)

    传送门 NOIP2013原题 貌似官方数据都是一模一样的 以前写过竟然毫无印象? 考场上自己瞎JB推结论 显然,如果连续的两端区间可以左边区间减 k 次,右边区间也减 k 次 那么把两个区间合并起来一 ...

  5. 利用Content-disposition实现无刷新下载图片文件

    今天在使用 tinypng.com 这个在线压缩图片的网站时,对其处理完图片后,可以无刷新下载图片感到好奇,于是了解了一下相关实现.无刷新下载可以利用MIME type或者设置Content-disp ...

  6. Spring配置问题:The prefix "util" for element "util:map" is not bound.

    在spring的头部文件中没有引入: xmlns:util=”http://www.springframework.org/schema/util” 原文:https://blog.csdn.net/ ...

  7. pgadmin-linux-centos7.3-连接pgsql

    每次远程连接linux-centos上面的pgsql的时候,需要修改ip,命令如下: -->cd /var/lib/pgsql/data -->vi pg_hba.conf 添加ip如下, ...

  8. 数据结构---Java---HashSet

    1.概述 1.1 HashSet不是线程安全的: 1.2 当向HashSet存入元素时,调用该对象的hashCode()值,根据hashCode()值来决定元素的存储位置: 如果hashCode()值 ...

  9. notepad++查看Log

    安装步骤:打开notepad++,插件→ Plugin Manager→ Show Plugin Manager→ Avaliable→ 等待插件列表刷新出来后,选中Android Logger插件→ ...

  10. RTT学习之线程

    一 线程的创建和删除:rt_thread_create()创建的句柄,对应的删除rt_thread_delete(),注意线程的删除只是将线程的状态该为close,进入空闲任务才删除.rt_threa ...