I'm not sure it its part of the certificate or something else - but does anyone know if its possible - and also how I could start to increase both the Key Exchange and Cipher Strength so I can achieve a 100% score on all 4 bars on SSLABS - or where I would even start to go about that?
At the moment they are both on 90%
Thank you in Advance if anyone can help with this.
The A+ that you already score there puts you probably in the top 1% of web sites by cryptographic security, so I'm not sure that you really need to make any more changes.
However, you could consider going to
and choosing "Modern" there—hopefully the Modern configuration can get you the highest SSL Labs ratings if you really feel you need them.
As it seems that your site is intended for use by the general public, I would suggest that it might be best for you to be happy with your A+ because the majority of the changes that improve your score on SSL Labs have some cost to compatibility with older browsers.
If I understand correctly, SSL Labs is unhappy that your server continues to support these four ciphersuites
It isn't the certificate. It's (almost) never the certificate. When SSLLabs gives you a score, 99.99% of that score is your server configuration--the only way your cert affects the score is if it isn't trusted, you're serving the wrong one, you're serving the wrong intermediate, or something along those lines.
The two 90% results could only reach 100% if you avoid using 128 bit completely (only use 256 or higher).
But, in your case, that won't be possible for several reasons (some already having been pointed out):
Your site uses CloudFlare - it is subject to their implementation (not under your control).
The site uses TLSv1.3 (which is much like a package deal and difficult to remove any ciphers from).
That said, 100% as compared to 90% doesn't really mean anything.
To say that 90% doesn't mean that 10% of anything bad is being allowed to happen.
(i,e. Does NOT imply you are 90% protected/safe)
"Security" isn't really quantifiable as a "score" like SSL Labs presents. (And I'm sure the people at Qualys know that, but people really like compressing complicated evaluations into a simple single number.)
Cloudflare is using secure settings, and your configuration is fine. Here, I'll give you the 100% that you're looking for:
If there is some break in AES-128 such that AES-256 or ChaCha20 or whatever becomes a substantially better choice for some reason, I suspect Cloudflare will be one of the first ones to update their configurations.
Well, the most secure system would be air-gapped, and not serve data to anybody. That's presumably not what you're looking for if you're trying to serve web pages on the public Internet. So you need to start defining "secure as possible" and what threats you're trying to protect against. If you turn off some ciphers and/or TLS 1.2, then you would be "more secure" against an adversary intercepting traffic between your user and your server, but there would be less users that could connect to your site.
Unless there's some options somewhere in your Cloudflare configuration (which there might be; I'm not personally a Cloudflare user), then very likely yes.
Unlikely. Again, you'd need to define what threats you're trying to protect against. If you're worried about Cloudflare itself knowing about your user traffic then yes, you'd be more secure not using Cloudflare. If you're worried about your users telling other people about what's on your site when you thought you were only telling certain users that information, then having different ciphers or a different provider won't help. If you're worried about a major world government intercepting communications between your servers and your users, then, maybe, but then you really need to look at more important things than what's on your Qualys report first.
If Cloudflare is the endpoint handling the encryption to your users, then its configuration is the only thing that will show up in the Qualys report.
If you're interested in why the "CBC" ciphers are reported as "Weak" by Qualys, and you're not afraid of a little bit of math, then you might want to read this article by Cloudflare from a few years ago. The short of it is that CBC has some weaknesses in some cases, but you might not be able to turn it off yet if you want maximum compatibility with systems trying to visit your site.
And you can look at their current configuration, and a link to their Github where they show you the changes to cipher suites over time:
But really, having a company that's paying attention to and ensuring that their servers are using current encryption standards is going to do much more for keeping you "as secure as possible" than running your own server and then forgetting to come back in a few years to check what cipher suites it should be configured with then.
I guess if I had to define it... I am looking to give my customers the most secure website possible to use that will protect them from any known threats on SSL / TLS etc - especially when transferring sensitive data (e.g. Credit card numbers)..
In terms of backwards compatibility, TLS 1.2 is only really needed it seems now if someone is still using an old browser on windows 7 still (and windows 7 has reached its end of life now) and I still need to test this - but i cant imagine chrome and Firefox don't still update to the newest versions of themselves (with TLS 1.3 support) etc.
As such I am not sure if I even really need to deal with those edge cases of people who have somehow forced stopped their own browser updates and are using windows 7 or older still.
(at least that's what my research I have done so far tells me - which means of course I could be wrong)
As a side note - I only have TLS 1.2 enabled because curiously SSLabs actually gives an A score instead of an A+ score with it disabled for some reason - which doesn't make much sense for me since only TLS 1.3 is more secure than having both TLS 1.2 and 1.3 enabled as far as i can tell. (Would love any insights into why that happens - and drops a grade for being more secure apparently)
Also yes I was also curious why the last 2 bars are 90% and not 100% - is it absolutely those Weak ciphers? or could it be something else?.
Disabling TLS 1.2 gets rid of the weak ciphers but drops a grade to A and still says 90% on the last 2 bars anyway - even with no cloudflare at all if i remember rightly.
so not sure why they are even 90% and not 100% and its does kind of bug me not knowing why if I'm honest
You have done this. I'd be much more worried about what happens to those credit card numbers once they're on your server, or worried about people putting fraudulent credit card number in, than worried about which secure-enough cipher suite was used to get the data from the user to your server.
Well, looking at your Qualys report's handshake simulation, if you turned off TLS 1.2 you wouldn't be able to get users from Android 8 or earlier, IE 11 or (pre-chromium) Edge (even on Windows 10), Safari 10 or earlier, and probably some web crawlers (as it says Googlebot, Yahoo Slurp, and so forth only use TLS 1.2). I don't know how accurate Qualys's estimations of protocol negotiations are, but if it were me, I'd rather people be able to find my site in search engines and submit me those credit card numbers over TLS 1.2 rather than not have them find my site working at all. At some point, yes perhaps some point soon, disabling TLS 1.2 could be a normal thing, but I don't think we're at that point for sites wanting to be generally available on the Internet quite yet. Maybe give it another year or two. There is no known or theoretical break in TLS 1.2 at this time.
I'm not sure how much they've published on their scoring algorithm (as it of course changes over time), but Qualys does have a Best Practices document available which maybe you'd find interesting since you're so interested in Qualys's opinion of how secure a site is.
That is a very good point - Is there anything I can do about this?
And its not so much just their site - but more in general terms i guess - as it gave me things to think about.
Oh wow - well i did not realise that - I guess I will be leaving TLS 1.2 enabled for now then - thank you for that golden nugget as I may have ended up turning it off otherwise at some point before the internet is ready
Ok so I guess my other question is - I have not read those links yet from cloudflare and disabling some of the ciphers (i.e. the weak ones) - but I defo get the impression that if i tried to do so - there is a good chance I might break something?
If you want a complete security assessment to understand if you're securing people's credit card numbers correctly, that's probably more than I (or others) can provide in my spare time posting on a forum. There are certainly plenty of qualified security experts out there that you might want to consult with. I was just trying to say that the score you get on Qualys's scan is really just a tiny part of "being as secure as possible" as long as you're not, like, only using broken ciphers.
I think that if you can trust Cloudflare with your traffic, you can probably trust them to stay on top of ensuring that your connections are encrypted with current standards. (Again, I haven't used Cloudflare myself, but I have no reason to think that they're doing a poor job of anything and my understanding is that they're generally well-regarded in the industry.) And one of the main advantages of using a service like theirs is that you're outsourcing that part of staying secure to a company whose job it is to stay on top of that sort of thing. I mean, if you really like staying on top of current security standards and updating your servers' configurations accordingly that's a perfectly fine approach too, but it's the kind of thing that many people prefer to outsource.
as long as its possible to deal with those types of things I am happy
and yeah i guess I've just always had a thing for computers and cant seem to help jumping down learning rabbit holes
It is both a blessing and a curse haha.
Thank you for all your help you have helped me come to a decision of leaving TLS 1.2 enabled for now until the internet says its broken one day, and also to not mess with those weak ones as it doesn't end in a good outcome when doing so for most people.
Very informative answers and have got me unstuck from an indecision i had before this
Usually I don't read links straight away but i do click them to check them - and I have just GOT to read this one right now - its somehow perfectly fitting to my situation atm. - Plus the way its formatted is pretty nice to read too haha
It's probably used by Cloudflare to secure and encrypt the connection between Cloudflare and your system. So I suppose there is another set of ciphers and configurations that you need to check on to make sure that your customers' data is secured between there and you. That's where you can use the Mozilla recommendations and can probably use the more "modern" configuration since all you need is for Cloudflare to connect to it, not random browsers on the Internet. If you wanted, though, rather than using Let's Encrypt (trusted by "everybody") you could instead use a Cloudflare Origin certificate (just trusted by Cloudflare) if that made things easier for you.