For those interested I contacted Troy Hunt who had this to say *"An F grade is unacceptably bad, definitely something he needs to get sorted. Hold the web developer / company accountable for that."*
He also sent a link to an article of his which is quite interesting http://www.troyhunt.com/2015/05/do-you-really-want-bank-grade-security.html Cheers On Mon, Nov 2, 2015 at 2:24 PM, Tom Rutter <[email protected]> wrote: > Folks > > I noticed a mate's shopping site over the weekend returning the following > in the connection info for the certificate: > > *Your connection to www.somesite.com <http://www.somesite.com> is encypted > using an obsolete cipher suite.* > > Did some googling, didn't understand much of it but landed on ssllabs.com > which runs a test on the site. It gave the site an F rating with the > following info > > - This server supports anonymous (insecure) suites (see below for > details). Grade set to F. > - This server supports weak Diffie-Hellman (DH) key exchange parameters. > Grade capped to B. > - This server accepts the RC4 cipher, which is weak. Grade capped to B. > - This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade > attacks. > > Should my mate be concerned? The people who created and run his site I > assume don't know or do know and aren't concerned. Anybody here used > ssllabs before or an alternative and how much should you care about the > rating? Even the microsoft store only gets a B with various warnings about > inconsistent server configurations. > > Cheers >
