SSL Report

bipbop · 9 Dec 2014, 12:12 PM

https://www.ssllabs.com/ssltest/anal...ml?d=runbox.no
https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

As you can see, the .no receives an F, and .com a B.

Just wondering why .no does so badly, and if it matters?

Geir · 9 Dec 2014, 01:39 PM

Hi and thanks for bringing this to our attention.

Apparently SSL Labs have changed their tests -- we worked hard to achieve an A rating a few months ago by following the recommendations of Qualys' Ivan Ristić here: http://blog.ivanristic.com/2013/08/c...d-secrecy.html

Presumably they now believe the RC4 cipher suite should be disabled, which would prevent Internet Explorer users on Windows XP from using the site.

After checking our logs we found that hardly anyone is using Runbox on Windows XP anymore, so we have disabled RC4 tentatively -- and we now have an A rating again: https://www.ssllabs.com/ssltest/anal...l?d=runbox.com

We're soon going to move both runbox.com and runbox.no to new servers and we will try to fix the SSL rating for runbox.no then.

- Geir

bipbop · 9 Dec 2014, 01:43 PM

Much appreciated. Keep up the good work!

na_mirage · 29 Dec 2014, 01:57 AM

the ssllabs test now rates the runbox.com domain back down to a C grade as the server is vulnerable to the POODLE attack.

Can you disable the SSL 3 support on the servers, I don't know what clients wouldn't be able to support TLS.

Geir · 29 Dec 2014, 03:08 AM

Thanks for bringing this to our attention -- it helped us uncover a misconfiguration that was introduced the other day while working on another part of our web server configuration.

We disabled SSL3 15 months ago, namely -- and have now done so again! Back to A rating: https://www.ssllabs.com/ssltest/anal...box.com&latest

- Geir

Geir · 2 Jan 2015, 01:19 AM

Quote:

Originally Posted by Geir

We're soon going to move both runbox.com and runbox.no to new servers and we will try to fix the SSL rating for runbox.no then.

Done: https://www.ssllabs.com/ssltest/anal...ml?d=runbox.no

- Geir

na_mirage · 27 Oct 2015, 02:20 AM

Can you get the cert for the support.runbox.com domain updated.

Because of the SHA-1 and RC4, Chrome 46 gives it a Red padlock with a cross through it and it gets a poor score with ssllabs;

https://www.ssllabs.com/ssltest/anal...ort.runbox.com

Geir · 7 Nov 2015, 07:28 AM

Yes, we are working on this.

- Geir

9 Dec 2014, 12:12 PM	#1
bipbop Senior Member Join Date: Dec 2009 Posts: 197	SSL Report https://www.ssllabs.com/ssltest/anal...ml?d=runbox.no https://www.ssllabs.com/ssltest/anal...l?d=runbox.com As you can see, the .no receives an F, and .com a B. Just wondering why .no does so badly, and if it matters?

9 Dec 2014, 01:39 PM	#2
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	Hi and thanks for bringing this to our attention. Apparently SSL Labs have changed their tests -- we worked hard to achieve an A rating a few months ago by following the recommendations of Qualys' Ivan Ristić here: http://blog.ivanristic.com/2013/08/c...d-secrecy.html Presumably they now believe the RC4 cipher suite should be disabled, which would prevent Internet Explorer users on Windows XP from using the site. After checking our logs we found that hardly anyone is using Runbox on Windows XP anymore, so we have disabled RC4 tentatively -- and we now have an A rating again: https://www.ssllabs.com/ssltest/anal...l?d=runbox.com We're soon going to move both runbox.com and runbox.no to new servers and we will try to fix the SSL rating for runbox.no then. - Geir

9 Dec 2014, 01:43 PM	#3
bipbop Senior Member Join Date: Dec 2009 Posts: 197	Much appreciated. Keep up the good work!

29 Dec 2014, 01:57 AM	#4
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	the ssllabs test now rates the runbox.com domain back down to a C grade as the server is vulnerable to the POODLE attack. Can you disable the SSL 3 support on the servers, I don't know what clients wouldn't be able to support TLS.

29 Dec 2014, 03:08 AM	#5
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	Thanks for bringing this to our attention -- it helped us uncover a misconfiguration that was introduced the other day while working on another part of our web server configuration. We disabled SSL3 15 months ago, namely -- and have now done so again! Back to A rating: https://www.ssllabs.com/ssltest/anal...box.com&latest - Geir

27 Oct 2015, 02:20 AM	#7
na_mirage Member Join Date: Dec 2008 Location: UK Posts: 50	Can you get the cert for the support.runbox.com domain updated. Because of the SHA-1 and RC4, Chrome 46 gives it a Red padlock with a cross through it and it gets a poor score with ssllabs; https://www.ssllabs.com/ssltest/anal...ort.runbox.com

7 Nov 2015, 07:28 AM	#8
Geir The "e" in e-mail Join Date: Sep 2001 Location: Oslo, Norway Posts: 2,938 Representative of: Runbox.com	Yes, we are working on this. - Geir