Mozilla Observatory Website security issues #305
Description
Immuniweb.com test results for Mozilla Observatory see full results in link
https://www.immuniweb.com/ssl/observatory.mozilla.org/IepbUqru/
The key size (DH parameter) in the Diffie-Hellman key exchange method is set to 1024 bits. A longer value of at least 2048 bits is required to prevent Logjam vulnerability.
Non-compliant with PCI DSS requirements
SERVER DOES NOT SUPPORT OCSP STAPLING
The server is not configured to support OCSP stapling for its RSA certificate that allows better verification of the certificate validation status. Reconfigure or upgrade your web server to enable OCSP stapling.
Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT OCSP STAPLING
The server is not configured to support OCSP stapling for its RSA certificate that allows better verification of the certificate validation status. Reconfigure or upgrade your web server to enable OCSP stapling.
Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT EXTENDED MASTER SECRET
The server does not support Extended Master Secret (EMS) extension for TLS versions ≤1.2. EMS provides additional security to SSL sessions and prevents certain MitM attacks.
Non-compliant with NIST guidelines
SERVER DOES NOT SUPPORT TLSv1.3
Consider enabling support of TLSv1.3 protocol that is considered to be the most secure and stable version of TLS protocol.
Misconfiguration or weakness
SERVER DOES NOT HAVE CIPHER PREFERENCE
i
The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected.
Misconfiguration or weakness
SERVER SUPPORTS CLIENT-INITIATED SECURE RENEGOTIATION
i
The server supports a client-initiated secure renegotiation that may be unsafe and allow Denial of Service attacks.
Misconfiguration or weakness
SSL labs Tests for Mozilla Observatory
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
Other issues are listed in report in the link above.