BadSSL - site for testing clients against bad SSL configs

[dark_moon]

I found that:
https://badssl.com
https://github.com/chromium/badssl.com

The tests are a little bit confusing for me, but maybe for some the site is nice

[Moonchild]

Made by the Chromium developers? I smell bias.

Just ran the test, and Pale Moon comes back just fine. The only "red" one is 1024-bit DH key exchange. This is within the spec and not bad, and required for some older servers that don't support DH keys > 1024bits. Clients should only reject DH primes less than (not less than or equal to) 1024 bits in size.

See also https://weakdh.org

If you’re a sysadmin or developer …

Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit.

EDIT: issue opened: https://github.com/chromium/badssl.com/issues/282

[Moonchild]

So, yeah, they have explicitly designed the site to give "OK" and "GOOD" marks to exactly the limits of current versions of Chromium. And bringing up the (weak but generally acceptable) 1024-bit DH key issue got a response as if stepping in a nest of adders. Refusing to consider it as much legacy as 3DES is because it looks better.

Bias, plain and simple.

[dark_moon]

I read the comments on github. Yeah...i'm not surprised

[Moonchild]

That being said, the next version of Pale Moon has the capabilities (by enabling a few more RSA suites) to safely disable static DHE cipher suites, so I'm guessing that it will come up green in their Chromium test from then on.