Entrust Datacard supports SSL Server Testing as part of our best practices approach to certificate management. This free, web-based service tests server configurations for security and is powered by Qualys SSL Labs.
As we move forward, the security ecosystem continually changes with new threats and vulnerabilities. The servers and browsers have increased coverage for the latest best practices in deploying HTTPS. To keep pace with the changing ecosystem, Qualys SSL Labs will change the server test scores to promote a higher level of security and help mitigate threats.
Starting March 1, 2018 the server test scores will change for the use of forward secrecy, authenticated encryption and the ROBOT vulnerability.
- Forward secrecy also known as perfect forward secrecy: SSL Server Test will cap the grade at B if forward secrecy is not supported. There will be no penalty if the server uses cipher suites without forward secrecy provided they are never negotiated with clients that can do better. This means you must ensure your cipher suites are set in order where TLS_ECDHE suites are preferred the highest.
- AEAD suites: SSL Server Test will require AEAD suites to get a grade A. If AEAD suites are not supported, the grade will be capped at B. AEAD suites provide strong authentication, key exchange, forward secrecy, and at least 128 bit encryption. GCM is an authenticated encryption mode, so look for a cipher such as TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
- ROBOT vulnerability: SSL Server Test will provide a grade F if the server is affected by the ROBOT vulnerability. The ROBOT attack fully breaks the confidentiality of SSL/TLS when used with RSA encryption. It enables an attacker to perform RSA decryption and signing operations with the private key of an SSL/TLS server. As a result, an attacker could record SSL/TLS traffic and decrypt it at a later time. ROBOT can be mitigated by applying a patch from your server vendor. Alternatively, TLS_RSA cipher suites could be disabled.
- Symantec Certificates: If the server uses a Symantec certificate issued before June 2016, the grade will be T. The T grade means the site certificate is not trusted.
In many cases, the server grade is based on the cipher suites selected and how they are ordered. Mozilla has a great site to show recommended cipher suites based on the client that the site needs to support.
Please take time to test your server on a regular basis to ensure your site is secure and your users are protected.