Further to my original email it turns out my mate's site has been compromised twice in the last few months. They didn't take the ssllabs test seriously either from what I've heard and the score remains. I guess I will be testing every site I shop from now on.
Cheers On Mon, Nov 2, 2015 at 2:24 PM, Tom Rutter <[email protected]> wrote: > Folks > > I noticed a mate's shopping site over the weekend returning the following > in the connection info for the certificate: > > *Your connection to www.somesite.com <http://www.somesite.com> is encypted > using an obsolete cipher suite.* > > Did some googling, didn't understand much of it but landed on ssllabs.com > which runs a test on the site. It gave the site an F rating with the > following info > > - This server supports anonymous (insecure) suites (see below for > details). Grade set to F. > - This server supports weak Diffie-Hellman (DH) key exchange parameters. > Grade capped to B. > - This server accepts the RC4 cipher, which is weak. Grade capped to B. > - This server supports TLS_FALLBACK_SCSV to prevent protocol downgrade > attacks. > > Should my mate be concerned? The people who created and run his site I > assume don't know or do know and aren't concerned. Anybody here used > ssllabs before or an alternative and how much should you care about the > rating? Even the microsoft store only gets a B with various warnings about > inconsistent server configurations. > > Cheers >
