https://community.qualys.com/blogs/securitylabs/2015/05/22/ssl-labs-increased-penalty-when-tls-12-is-not-supported

Earlier this week we released SSL Labs 1.17.10, whose main purpose was to increase the penalty when RC4 is used with modern protocols (i.e., TLS 1.1 and TLS 1.2). We had announced this change some time ago, and then put in place on May 20. The same release introduced another change, which was to increase the penalty for servers that don't support TLS 1.2 from B to C. And it seems that this second change is being somewhat controversial, with many asking us to better explain why we did that.

Although what initially prompted us to think about changing the grading for not supporting TLS 1.2 was grade harmonisation (ensuring that a wide range of servers all get grades that make sense -- in other words, to have better-configured servers have better grades), that doesn't change the fact that the reality is that TLS 1.0 is an obsolete security protocol. TLS 1.0 came out in 1999, followed by TLS 1.1 in 2003 and TLS 1.2 in 2008. These new protocol versions were released for a reason -- to address security issues with earlier protocol versions. But, despite being obsolete, TLS 1.0 continues to be the best supported protocol version on many servers. It's not very bad, mind you -- we know from SSL Pulse that about 60% of servers already support TLS 1.2. Client-side, the situation is probably better, because modern browsers have supported TLS 1.2 since 2013. You could say that, overall server configuration is the weaker link.

In that light, we feel that the increase of the penalty for the lack of TLS 1.2 is the natural next step in the deprecation of TLS 1.0. In fact, SSL Labs is probably late in doing that. Just last month, the PCI Security Council deprecated SSL v3 and TLS 1.0 for commercial transactions. No new systems are allowed to use TLS 1.0 for credit card processing and existing systems must immediately begin to transition to better protocols. In comparison, the SSL Labs change of grading is only a mild nudge in the right direction. And, while some people are not happy that we're pushing for TLS 1.2, others are complaining that we're not doing enough. For example, the Chrome browser has been warning about lack of TLS 1.2 and authenticated (GCM) suites for some time now. Clearly, it's difficult to make everyone happy.

The bottom line is that TLS 1.0 is insecure and we must migrate away from it. In 2011, there came the BEAST attack, and, in 2013, the Lucky 13 attack. TLS 1.0 remains vulnerable to this problems, but TLS 1.2 (with authenticated suites) isn't. These attacks are serious and some organisations continue to use RC4 in combination with TLS 1.0 just to be sure that they are mitigated. We understand that many organisations face significant challenges adding support TLS 1.2, but that is unavoidable. In computer technology, and in security in particular, it is often necessary to keep running just to stay in place.

We did get one thing wrong, however -- we didn't communicate our grading changes in advance. It was not our intention to surprise anyone. In fact, we'd prefer much more if changes were smoother. To that end, in the future we'll be announcing all grading changes with at least one month notice, and hopefully more for some more significant changes.

SSL Labs: Increased Penalty When TLS 1.2 Is Not Supported的更多相关文章

  1. 在 Qualys SSL Labs SSL 测试中获得 A+ 评级的秘技 2021 版

    本系列文章将阐述主流应用交付控制器和主流 Web 服务器如何运行 HTTP/2 和 TLSv1.3 协议,以及如何在 SSL Test 中获得 A+ 评级. 请访问原文链接:https://sysin ...

  2. 全球知名的HTTPS网站检测工具-Qualys SSL Labs

    推荐一个在线版全球知名的HTTPS网站检测工具-Qualys SSL Labs.Qualys SSL Labs同时也是很具有影响力的SSL安全和性能研究机构. SSL Labs会对HTTPS网站的证书 ...

  3. Help for enable SSL 3.0 and disable TLS 1.0..

    https://support.mozilla.org/en-US/questions/967266 i cant find tab Encryption for enable SSL 3.0 and ...

  4. 记录启用HTTPS的全过程

    因为 https 采用 ssl 加密,所以部署 https 时需要申请证书,证书的作用就是对浏览器和Web服务器双方的身份验证. 步骤1:申请证书 我们采用Let's Encrypt签发的免费证书,虽 ...

  5. SSL/TLS 握手优化详解

    随着 HTTP/2 的逐渐普及,以及国内网络环境越来越糟糕(运营商劫持和篡改),HTTPS 已经开始成为主流.HTTPS 在 TCP 和 HTTP 之间增加了 TLS(Transport Layer ...

  6. SSL/TLS原理详解2

    引用原文地址:https://segmentfault.com/a/1190000004985253#articleHeader6 在进行 HTTP 通信时,信息可能会监听.服务器或客户端身份伪装等安 ...

  7. SSL/TLS 加密新纪元 - Let's Encrypt

    转自: https://linux.cn/article-6565-1.html SSL/TLS 加密新纪元 - Let's Encrypt 根据 Let's Encrypt 官方博客消息,Let's ...

  8. SSL/TLS 高强度加密: 常见问题解答

    关于这个模块 mod_ssl 简史 mod_ssl会受到Wassenaar Arrangement(瓦森纳协议)的影响吗? mod_ssl 简史 mod_ssl v1 最早在1998年4月由Ralf ...

  9. SSL、TLS协议格式、HTTPS通信过程、RDP SSL通信过程

    相关学习资料 http://www.360doc.com/content/10/0602/08/1466362_30787868.shtml http://www.gxu.edu.cn/college ...

随机推荐

  1. appium键盘处理

    最近对appium感兴趣,就从网上找了些资料,搭建了环境,下载了appium测试代码和测试apk,这方面的东西晚上再写 appium最新版(v1.4.0.0)已经没有sendKeyEvent了,所以现 ...

  2. spring-redis 存储数据

    package com.fndsoft.bcis.utils; import org.springframework.beans.factory.annotation.Autowired;import ...

  3. Django 07 Django模型基础2 (常用查询和多表关联)

    Django 07 Django模型基础2 (常用查询和多表关联) 一.常用查询 #查找数据 def search_user(request): #获取 rs = User.objects.first ...

  4. 【笔记】MySQL学习之索引

    [笔记]MySQL学习之索引 一 索引简单介绍 索引,是数据库中专门用于帮助用户快速查询数据的一种数据结构.类似于字典中的目录,查找字典内容时可以根据目录查找到数据的存放位置,然后直接获取即可. 普通 ...

  5. poj1840 五项式等于0(哈希)

    题目传送门 题意很好懂,注意一下xi不能等于0 思路:智商检测题,一开始想着五重for暴力...Orz,后来移向(把a4a5移到右边)了发现减了1e8数量级的复杂度,再次Orz,所以直接三重循环,记录 ...

  6. Newtonsoft.Json 自定义序列化格式转化器

    public static class JsonHelper { static JsonHelper() { Newtonsoft.Json.JsonSerializerSettings settin ...

  7. Java中Array与ArrayList的主要区别

    1)精辟阐述: 可以将 ArrayList想象成一种"会自动扩增容量的Array". 2)Array([]):最高效:但是其容量固定且无法动态改变:      ArrayList: ...

  8. Vue.js-----轻量高效的MVVM框架(十、父子组件通信)

    #1.父链 html: <h3>#父链</h3> <div> <div>子组件可以用 this.$parent 访问它的父组件.根实例的后代可以用 th ...

  9. 使用EventBus实现兄弟组件之间的通信

    使用EventBus实现兄弟组件之间的通信 需求:为了实现菜单折叠的效果,例如http://blog.gdfengshuo.com/example/work/#/dashboard header组件和 ...

  10. SQL Server Reporting Service(SSRS) 第六篇 SSRS 部署总结

    前段时间完成了第一批次SSRS报表的开发,本来以为大功已经告成,结果没有想到在整个发布与部署过程中还是遇到了很多的问题,现将这些问题一一列举出来,希望对以后能够有所启发! 1. 关于数据源与数据集的发 ...