Scribd
Upload
54 views17 pages

SSL/TLS Configuration Analysis Report

The document presents an analysis of SSL/TLS configurations for various websites, including Dribble.com, Canvas, Gmail.com, Youtube.com, and Britannica.com, with grades ranging from A+ to B. Key findings include the identification of weak cipher suites, outdated TLS protocols, and the lack of OCSP Must-Staple and DNS CAA records, with recommendations for mitigation. Overall, the analysis highlights the importance of modern protocols and secure configurations to enhance web security.

Uploaded by

cathleen.personal25
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
54 views17 pages

SSL/TLS Configuration Analysis Report

The document presents an analysis of SSL/TLS configurations for various websites, including Dribble.com, Canvas, Gmail.com, Youtube.com, and Britannica.com, with grades ranging from A+ to B. Key findings include the identification of weak cipher suites, outdated TLS protocols, and the lack of OCSP Must-Staple and DNS CAA records, with recommendations for mitigation. Overall, the analysis highlights the importance of modern protocols and secure configurations to enhance web security.

Uploaded by

cathleen.personal25
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Cathleen L.

Abila BSIT-3

Analysis of SSL/TLS Report


1. Collected Finding for Dribble.com
Overall Grade:
Grade: A+

The server received the highest rating, reflecting excellent SSL/TLS configuration.
Supported Protocols:
TLS 1.3: Yes
TLS 1.2: Yes
TLS 1.1: No
TLS 1.0: No
SSL 3.0 & SSL 2.0: No
Older, insecure protocols are disabled, which enhances security.
Vulnerabilities Identified:
No major vulnerabilities were identified in this test, but some cipher suites flagged
as weak could pose risks.

Misconfigurations Identified:
Issue: Weak Cipher Suites Enabled
- Some TLS 1.2 cipher suites (e.g., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
are marked as weak due to older algorithms.
Mitigation: Disable weak cipher suites. Configure the server to prefer strong
modern ciphers such as TLS_AES_256_GCM_SHA384.

Issue: DNS Certification Authority Authorization (CAA) Not Configured


- CAA records help prevent unauthorized certificate issuance.
Mitigation: Set up DNS CAA records to specify authorized Certificate
Authorities (CAs).

Issue: OCSP Must-Staple Not Enabled


- This enhances certificate revocation checks by requiring OCSP responses to
be included in the TLS handshake.
Mitigation: Enable OCSP Must-Staple on the certificate.
Issue: Support for CBC-based Ciphers
- Cipher suites using CBC mode (e.g., TLS_RSA_WITH_AES_256_CBC_SHA) are
susceptible to vulnerabilities like BEAST.
Mitigation: Remove CBC-based ciphers in favor of AEAD ciphers like GCM or
ChaCha20.

2. Collected Findings for Canvas


Overall Grade:
Grade: A+
This indicates an excellent SSL/TLS configuration, with no major vulnerabilities
detected and modern protocol support.
Supported Protocols:
TLS 1.3: Yes (modern, highly secure protocol).
TLS 1.2: Yes (backward compatibility).
Older Protocols (TLS 1.1, TLS 1.0, SSL 3.0): Not supported (a positive security
measure).
Vulnerabilities Identified:
Some areas, such as cipher selection, could be optimized to strengthen security
further.
Misconfigurations:
Issue: Weak Cipher Suites Enabled
- Some TLS 1.2 cipher suites include CBC mode (e.g.,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA), which is less secure and
vulnerable to attacks like BEAST.
Mitigation: Disable CBC-based ciphers in favor of modern AEAD ciphers, such
as GCM or ChaCha20.

Issue: DNS Certification Authority Authorization (CAA) Not Configured


- DNS CAA records prevent unauthorized issuance of certificates for the
domain.
Mitigation: Configure DNS CAA records to specify trusted Certificate
Authorities (CAs).
Issue: OCSP Must-Staple Not Enabled
- This would improve certificate revocation handling by requiring the server to
provide an OCSP response during the TLS handshake.
Mitigation: Enable the OCSP Must-Staple extension in the certificate
configuration.

Issue: Long-lived Certificate


- The certificate is valid for over a year, increasing risk exposure in case of a
private key compromise.
Mitigation: Use shorter-lived certificates (e.g., 90 days) and automate renewal
processes using tools like Certbot.

3. Collected Finding for Gmail.com


Overall Grade:
Grade: B
The grade is capped due to the support of outdated TLS protocols (TLS 1.0 and 1.1).

Supported Protocols:
TLS 1.3: Supported (strong modern protocol).
TLS 1.2: Supported (for backward compatibility).
TLS 1.1: Supported (deprecated, causes grade cap).
TLS 1.0: Supported (deprecated, causes grade cap).
Vulnerabilities Identified:
Older TLS Protocols:
TLS 1.0 and 1.1 have known vulnerabilities and should be disabled.
OCSP Must-Staple Not Enabled:
The server does not enforce Online Certificate Status Protocol (OCSP)
stapling.
Revocation Information Available but Not Mandatory:
CRL and OCSP mechanisms are used but not mandatory.
Misconfigurations:
Issue: Outdated TLS Protocols (TLS 1.0 and 1.1)
- These protocols are outdated and susceptible to attacks such as BEAST and
POODLE.
Mitigation: Disable support for TLS 1.0 and 1.1. Ensure only TLS 1.2 and 1.3
are enabled.

Issue: Weak Cipher Suites for TLS 1.2


- Some CBC-based ciphers (e.g., TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
are vulnerable to attacks like BEAST.
Mitigation: Replace CBC-based ciphers with AEAD ciphers such as GCM or
ChaCha20.
Issue: OCSP Must-Staple Not Enabled
- This security feature ensures the certificate's validity is checked during the
handshake.
Mitigation: Enable OCSP Must-Staple for the certificate to ensure timely
revocation checking.

4. Collected Findings for Youtube.com


Overall Grade: B
The grade is capped at B due to the support of older TLS protocols (1.0 and 1.1).

Protocols Supported
TLS 1.0 and TLS 1.1 (outdated and insecure).
TLS 1.2 (standard, secure).
TLS 1.3 (latest and secure).

Vulnerabilities Identified
Older TLS protocols (1.0, 1.1) are still supported.
Misconfigurations
Issue: TLS 1.0 and TLS 1.1 support.
Mitigation: Configure servers to only support TLS 1.2 and higher.

Issue: No OCSP Must-Staple.


Mitigation: Enforce OCSP Must-Staple to ensure certificate status checking.

Issue: Long certificate chains (three certificates with mixed strengths).


Mitigation: Optimize the chain to minimize latency by using fewer
intermediates.

Issue: HSTS not preloaded.


Mitigation: Submit the domain for HSTS preload to ensure clients
automatically use HTTPS.
5. Collected Findings for Britannica.com
Overall Grade: A
The server received an A rating, which indicates strong overall SSL/TLS
configuration.

Protocols Supported
TLS 1.2
TLS 1.3

Vulnerabilities Identified
No critical vulnerabilities were reported. The server uses secure protocols and
cipher suites.
Misconfigurations
Issue: Missing DNS CAA records.
- No mechanism to restrict unauthorized certificate issuance.
Mitigation: Add DNS CAA records to explicitly authorize specific certificate
authorities.

Issue: OCSP Must-Staple not enabled.

- Clients rely on external OCSP servers, leading to potential revocation check


delays or bypass.
Mitigation: Enable OCSP Must-Staple to ensure certificates are validated
during the TLS handshake.

Issue: HSTS not preloaded.


- Visitors may initially access the site over HTTP before redirecting to HTTPS,
exposing them to downgrade attacks.
Mitigation: Submit the site to the HSTS preload list for seamless HTTPS
enforcement.

You might also like