RUNNING HEAD: SSL Lab Using Qualys 1

SSL Lab Using Qualys

5/17/2021
SSL Lab Using Qualys 2

SSL Lab Using Qualys

SSL Lab Using Qualys 3
SSL Lab Using Qualys 4
SSL Lab Using Qualys 5

Vulnerabilities Identified

Website URL Vulnerabilities Identified

Humblebundle.com TLS 1.0 and TLS 1.1 supported

TLS 1.0 supported
Server uses SSL 3
Server supports SSL 2
Server does not support TLS 1.2 or TLS 1.3
Mail.wheels.net.my
Server accepts RC4 cipher for older protocols
Server supports insecure cipher suites
Server supports 512-bit export suites
Server does not support AEAD cipher suites
Pythontutor.com TLS 1.0 and TLS 1.1 supported
SSL Lab Using Qualys 6

Tunein.com TLS 1.0 and TLS 1.1 supported

Vulnerabilities Identified
4.5

3.5

2.5

1.5

0.5

0
TLS Vulnerabilities Cipher Vulnerabilities SSL Acceptance Export suite vulnerabilities
Vulnerabilities

Humblebundle.com Mail.wheels.net.my Pythontutor.com Tunein.com

Out of the four websites scanned with Qualys, three of them had a rating of B due to

server support of TLS 1.0 and TLS 1.1. The fourth website had an F rating, due to the extreme

lack of security and protocol support on the server. In order to mitigate these vulnerabilities,

there are a few things that need to be done.

The three servers that had a B rating, vulnerability mitigation is fairly straightforward.

The servers should be reconfigured to use TLS 1.2 and TLS 1.3 as the primary protocols, as they

are secure and without any known security issues. However, some servers may need to continue

support of TLS 1.0 and TLS 1.1, at least for now, to support older clients. Additionally, these

servers should also consider implementing DNS CAA (Certification Authority Authorization) to

help increase security.

SSL Lab Using Qualys 7

The server with the F rating needs to be entirely reconfigured to achieve a modicum of

security. It should remove any SSL 2, SSL 3, and TLS 1.0 support. The primary protocols should

be TLS 1.2 and TLS 1.3, where it currently only supports older protocols and does not support

the newer editions at all. The server should also be reconfigured so that there is no more support

for the 512-bit export suites. Along with this, the server should no longer support insecure cipher

suites, as these are extremely vulnerable to a variety of attacks. The server should also be

configured to support Authenticated Encryption (AEAD) cipher suites, making it more secure

and less vulnerable to certain attacks regarding encrypted information. In its current state, this

server is completely insecure and susceptible to a variety of attacks.

Conclusion

Throughout this analysis, one of the most common reasons for a rating of B is due to

support of the deprecated TLS versions (TLS 1.0 and TLS 1.1, to be specific). Although this may

be necessary for some organizations, it is paramount to understand that TLS 1.2 and TLS 1.3

should be the default protocols configured for the server. Even if previous versions are

supported, they should not be the default protocols and should only be used for older client

connections. The server with the F rating needs immediate attention and should not be utilized in

its current configuration, as it can be hacked with relative ease.