Analyzing Browsers’ and Servers’ SSL and TLS Usage for a More Secure Internet

Bob Cromwell blog post on LibreSSL mentioned the POODLE attack recently. POODLE has caused a lot of discussion of SSL (Secure Sockets Layer), TLS (Transport Layer Security) and corresponding browser and server support. Browsers support different encryption algorithms and security protocols to allow users to access sites that support those protocols. Likewise sites support different encryption algorithms and protocols to try to support as many browsers as possible. Supporting older browsers may mean supporting weaker encryption. Fortunately, there are tests for who supports what. I’m showing one of each here – browser and server – but there are others. I’m not endorsing these, per se, I just use them sometimes.

Testing your Browser’s SSL/TLS Capabilities

First up is a browser test. Let’s look at my Firefox 37.0.2 browser.

FFX Analysis
Firefox browser analysis

You can see that my Firefox browser is vulnerable to POODLE and some of the Cipher Suites It prefers (there are more, too). After installing and configuring the SSL Version Control plugin, I am no longer vulnerable to POODLE and I no longer support SSL.

FFX No POODLE
Firefox with plugin installed.

I also tried Internet Explorer 11. Note that it is not vulnerable

IE analysis
IE analysis

Doing the SSL Server Test

The server analysis gives a lot more information. This is part of the results of a server I use frequently. First up is the overall grade. This is especially useful for going to the IT department and saying “see, we need to configure our servers more securely.”

Server summary
Server summary grade

Now we have the protocols and ciphers. Note the weak cipher still supported (probably for international customers) and the lack of SSL support

Server protocols and ciphers
Server protocols and ciphers

I hope this introduction to browser and server support helps you be more confident in your browsing and can help you make your users and customers more secure.

For more, have a look at Learning Tree’s course on Securing Web Applications where securing communication with SSL/TLS is covered.

To your safe computing,
John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.