C2FO: The server supports only older protocols for HTTPS connections

ID H1:6794
Type hackerone
Reporter melvin
Modified 2014-05-15T20:58:02


The webserver at c2fo.com, only supports SSL 3.0 and TLS 1.0 for secure HTTP connections (see: test-results.png). While TLS 1.0 is more secure than SSL 3.0, subsequent versions of TLS, TLS 1.1 and TLS 1.2, are significantly more secure and fix many vulnerabilities present in SSL 3.0 and TLS 1.0.

I recommend enabling support for TLS 1.1 and TLS 1.2. Because not all browsers and operating systems support these new versions, to ensure availability, SSL 3.0 and/or TLS 1.0 should not be disabled (for now).