Can you check my site and tell me if i am missing any configuration etc?


#1

my domain is : https://www.pokemonpets.com/

when i check security tab of chrome it shows like below


#2

You can check yourself at: https://www.ssllabs.com/ssltest/analyze.html?d=www.pokemonpets.com&hideResults=on


#3

@Osiris ty very much for answer

I have tested and saw these

DNS CAA No ([more info](https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum))

How can i add DNS CAA when using letsencrypt?

Can i fix this when using letsencrypt?
RC4 **Yes** **INSECURE** ([more info](https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what))

Can i fix this when using letsencrypt?
Forward Secrecy **Weak key exchange WEAK**

Can i fix these when using letsencrypt?
waek2


#4

@Osiris and also these

ty


#5

You may find the articles linked here very helpful for you: https://www.namecheap.com/support/knowledgebase/article.aspx/9594/69/hardening-ssltls-configuration-on-iis-85

Because IIS 8.5 is quite long in the tooth, you will need to tune it with the help of the above resource in order to score highly on SSL Labs.

But it may not be possible to get an A+ (and that’s okay).


#6

@MonsterMMORPG Yes, all those issues are SSL/TLS issues, but are not depending on the certificate. And only the certificate is Let’s Encrypt specific. All those other things, are webserver configuration matters.

A certificate is only al very small (albeit important :wink:) part of the whole TLS setup. See for more info: https://en.wikipedia.org/wiki/Transport_Layer_Security


#7

Hi @MonsterMMORPG

you have an IIS.8.5.

There exists one (old) tool to configure IIS without editing the Registry manual (it’s painful):

https://www.nartac.com/Products/IISCrypto

Disable all the old TLS_RSA - cipher suites.


#8

Ty very much for answers

@JuergenAuer and @Osiris and @_az

I suppose it doesnt worth the hassle right?

Currently it would work on every decent browser without any error or problem?

my aim is making https work on as much as possible browsers

i think grade not matters much? i have no security problem or issue

i will keep supporting http version too