Professional Documents
Culture Documents
5/17/2021
SSL Lab Using Qualys 2
Vulnerabilities Identified
Vulnerabilities Identified
4.5
3.5
2.5
1.5
0.5
0
TLS Vulnerabilities Cipher Vulnerabilities SSL Acceptance Export suite vulnerabilities
Vulnerabilities
Out of the four websites scanned with Qualys, three of them had a rating of B due to
server support of TLS 1.0 and TLS 1.1. The fourth website had an F rating, due to the extreme
lack of security and protocol support on the server. In order to mitigate these vulnerabilities,
The three servers that had a B rating, vulnerability mitigation is fairly straightforward.
The servers should be reconfigured to use TLS 1.2 and TLS 1.3 as the primary protocols, as they
are secure and without any known security issues. However, some servers may need to continue
support of TLS 1.0 and TLS 1.1, at least for now, to support older clients. Additionally, these
servers should also consider implementing DNS CAA (Certification Authority Authorization) to
The server with the F rating needs to be entirely reconfigured to achieve a modicum of
security. It should remove any SSL 2, SSL 3, and TLS 1.0 support. The primary protocols should
be TLS 1.2 and TLS 1.3, where it currently only supports older protocols and does not support
the newer editions at all. The server should also be reconfigured so that there is no more support
for the 512-bit export suites. Along with this, the server should no longer support insecure cipher
suites, as these are extremely vulnerable to a variety of attacks. The server should also be
configured to support Authenticated Encryption (AEAD) cipher suites, making it more secure
and less vulnerable to certain attacks regarding encrypted information. In its current state, this
Conclusion
Throughout this analysis, one of the most common reasons for a rating of B is due to
support of the deprecated TLS versions (TLS 1.0 and TLS 1.1, to be specific). Although this may
be necessary for some organizations, it is paramount to understand that TLS 1.2 and TLS 1.3
should be the default protocols configured for the server. Even if previous versions are
supported, they should not be the default protocols and should only be used for older client
connections. The server with the F rating needs immediate attention and should not be utilized in