2023年2月25日 星期六

[研究]ESET NOD32 Antivirus 可能會變更網站伺服器憑證資訊(一)

[研究]ESET NOD32 Antivirus 可能會變更網站伺服器憑證資訊(一)

2023-02-25

********************************************************************************

同一台電腦,安裝 ESET NOD32 Antivirus,檢視不同網站伺服器憑證



https://gcp.nat.gov.tw/






********************************************************************************

另一台電腦,沒有安裝 ESET NOD32 Antivirus,檢視不同網站伺服器憑證


********************************************************************************

(下圖)官方沒查到特別有用資訊

********************************************************************************

問一下 ChatGPT

(下圖)Click 可看100%圖

同一個網站,ESET NOD32 會把網站伺服器憑證變成 ESET 發行,非 ESET NOD32 看到正常,為什麼?

可能有以下幾種情況:

中間人攻擊:可能您的電腦或網路受到中間人攻擊。中間人攻擊者可以篡改您和網站之間的通訊,使您看到的網站伺服器憑證被替換成由ESET發行的憑證。此舉可以讓攻擊者收集您的個人敏感資訊,例如帳戶密碼、信用卡號碼等。

安全軟體的SSL檢查:ESET NOD32可能開啟了SSL/TLS憑證檢查功能。此功能會對瀏覽器所連接的網站的憑證進行驗證,確保該網站的憑證是由可信的機構發行的。如果憑證不符合要求,ESET NOD32可能會替換掉該網站的憑證,以確保您的訪問是安全的。

瀏覽器快取:可能您的瀏覽器已經儲存了一份ESET發行的憑證,並且在訪問網站時直接從快取中載入了該憑證。這將導致您看到的網站伺服器憑證被替換成由ESET發行的憑證。

如果您懷疑自己的電腦或網路受到中間人攻擊,建議您立即停止使用該電腦或網路,並採取必要的安全措施,例如更改密碼、更新防病毒軟體、使用VPN等。如果您對ESET NOD32的SSL/TLS憑證檢查功能有疑問,建議您查閱該軟體的使用手冊或聯繫ESET支援團隊。

********************************************************************************


Q:網站A,ESET NOD32 會把伺服器憑證變成 ESET 發行,沒安裝 ESET NOD32 則看到正常,

網站B,不管有無安裝 ESET NOD32,看到都正常,為什麼?

ChatGPT:

這種情況可能是因為網站A和網站B所使用的SSL/TLS憑證不同,或者是因為ESET NOD32在網站A和網站B之間的憑證驗證策略不同所導致的。

對於網站A,ESET NOD32可能開啟了SSL/TLS憑證檢查功能,並且該網站使用的憑證不符合要求。這導致ESET NOD32替換了網站A的憑證,以確保您的訪問是安全的。而在沒有安裝ESET NOD32的情況下,您可以正常訪問網站A,因為您的瀏覽器沒有對該憑證進行檢查,所以您看到的是該網站原本的憑證。

對於網站B,可能它所使用的憑證符合ESET NOD32的憑證驗證要求,所以無論您是否安裝ESET NOD32,您都可以正常訪問該網站,並且您看到的憑證與該網站原本的憑證相同。

總之,ESET NOD32的SSL/TLS憑證檢查功能可以增加網路訪問的安全性,但有時也可能會影響您對某些網站的訪問體驗。如果您對ESET NOD32的憑證驗證策略有疑問,建議您查閱該軟體的使用手冊或聯繫ESET支援團隊。

********************************************************************************

SSL Server Test (Powered by Qualys SSL Labs)

https://www.ssllabs.com/ssltest/index.html

(下圖)查很久



(下圖)Click 可看100%


********************************************************************************

把全部「Click here to expand」按鈕按下。(卷動抓圖過程會失敗,測試2次都如次),貼出內容

SSL Report: gcp.nat.gov.tw (210.241.69.200)
Assessed on:  Fri, 24 Feb 2023 23:35:05 UTC | Hide | Clear cache

Summary
Overall Rating
A+
0
20
40
60
80
100
Certificate
 
Protocol Support
 
Key Exchange
 
Cipher Strength
 

Visit our documentation page for more information, configuration guides, and books. Known issues are documented here.
HTTP Strict Transport Security (HSTS) with long duration deployed on this server.  MORE INFO »
Certificate #1: RSA 2048 bits (SHA256withRSA)
Server Key and Certificate #1
Subjectgrca.nat.gov.tw
Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6
Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY=
Common namesgrca.nat.gov.tw
Alternative namesgrca.nat.gov.tw gcp.nat.gov.tw gca.nat.gov.tw gcaweb.nat.gov.tw gcara.nat.gov.tw xca.nat.gov.tw xcaweb.nat.gov.tw xcara.nat.gov.tw gtlsca.nat.gov.tw gtlscaweb.nat.gov.tw gtlscara.nat.gov.tw gtestca.nat.gov.tw oid.nat.gov.tw training.gpki.nat.gov.tw gpkiapi.nat.gov.tw
Serial Number3d0dd5d1dea986babc1676b9ea56cafb
Valid fromTue, 27 Sep 2022 07:21:38 UTC
Valid untilWed, 27 Sep 2023 07:21:38 UTC (expires in 7 months and 2 days)
KeyRSA 2048 bits (e 65537)
Weak key (Debian)No
Issuer????????????? - G1
AIA: http://gtlsca.nat.gov.tw/Certs/GTLSCA.crt
Signature algorithmSHA256withRSA
Extended ValidationNo
Certificate TransparencyYes (certificate)
OCSP Must StapleNo
Revocation informationCRL, OCSP
CRL: http://gtlsca.nat.gov.tw/crl/GTLSCA-complete.crl
OCSP: http://ocsp.gtlsca.nat.gov.tw/OCSP
Revocation statusGood (not revoked)
DNS CAANo (more info)
TrustedYes
Mozilla  Apple  Android  Java  Windows 


Additional Certificates (if supplied)
Certificates provided4 (7491 bytes)
Chain issuesContains anchor
#2
Subject????????????? - G1
Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823
Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y=
Valid untilTue, 19 Aug 2031 06:46:45 UTC (expires in 8 years and 5 months)
KeyRSA 4096 bits (e 65537)
IssuerePKI Root Certification Authority - G2
Signature algorithmSHA256withRSA
#3
SubjectePKI Root Certification Authority - G2
Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067
Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU=
Valid untilWed, 20 Dec 2034 02:31:27 UTC (expires in 11 years and 9 months)
KeyRSA 4096 bits (e 65537)
IssuerChunghwa Telecom Co., Ltd. / ePKI Root Certification Authority
Signature algorithmSHA256withRSA
#4
SubjectChunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   In trust store
Fingerprint SHA256: c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5
Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U=
Valid untilWed, 20 Dec 2034 02:31:27 UTC (expires in 11 years and 9 months)
KeyRSA 4096 bits (e 65537)
IssuerChunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   Self-signed
Signature algorithmSHA1withRSA   Weak, but no impact on root certificate


Certification Paths
Path #1: Trusted
1Sent by servergrca.nat.gov.tw
Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6
Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY=

RSA 2048 bits (e 65537) / SHA256withRSA
2Sent by server????????????? - G1
Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823
Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y=

RSA 4096 bits (e 65537) / SHA256withRSA
3Sent by serverePKI Root Certification Authority - G2
Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067
Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU=

RSA 4096 bits (e 65537) / SHA256withRSA
4Sent by server
In trust store
Chunghwa Telecom Co., Ltd. / ePKI Root Certification Authority   Self-signed
Fingerprint SHA256: c0a6f4dc63a24bfdcf54ef2a6a082a0a72de35803e2ff5ff527ae5d87206dfd5
Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U=

RSA 4096 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Path #2: Not trusted (path does not chain to a trusted anchor)
1Sent by servergrca.nat.gov.tw
Fingerprint SHA256: 6629f1afdffecf6a2e7886ee705cf21fa3aeb1c2666d85f13488ff1c8efe04b6
Pin SHA256: tqa/TX0pN+xM6+fX1ar9rVi6o+duYp2NUL/yRVWOjlY=

RSA 2048 bits (e 65537) / SHA256withRSA
2Sent by server????????????? - G1
Fingerprint SHA256: 9d1cda1b9ef395afce7de0fe74de6d9ff5e0d2a43789116c00c6ba5bf44b9823
Pin SHA256: yMUknny/PvrLFQdEKWvDlcHaFRKWkzvSUpfOPXBS62Y=

RSA 4096 bits (e 65537) / SHA256withRSA
3Sent by serverePKI Root Certification Authority - G2
Fingerprint SHA256: 64717250af8b028dd8e5c0bae4c9142c8b103532612bc487085fd3c319f9c067
Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU=

RSA 4096 bits (e 65537) / SHA256withRSA
4Extra downloadChunghwa Telecom Co., Ltd. / ePKI Root Certification Authority
Fingerprint SHA256: b9c974de139f6308d74ccc423c3bc0bded5e7ab4ad738b304b50d429c42c3d66
Pin SHA256: YlVMFwBVQ7I3IV8EJo3NL9HEcCQK08hmDiWuLFljD1U=

RSA 4096 bits (e 65537) / SHA256withRSA
5Extra download
  Not in trust store
ePKI Root Certification Authority - G2   Self-signed
Fingerprint SHA256: 1e51942b84fd467bf77d1c89da241c04254dc8f3ef4c22451fe7a89978bdcd4f
Pin SHA256: tInMsiS5prgd0nTOr1IJwlKZjJp2r0jk9MUKByhGGCU=

RSA 4096 bits (e 65537) / SHA256withRSA
Configuration
Protocols
TLS 1.3No
TLS 1.2Yes
TLS 1.1No
TLS 1.0No
SSL 3No
SSL 2No


Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS   WEAK256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK256
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)   WEAK128
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)   WEAK256


Handshake Simulation
Android 4.4.2RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 8.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 9.0RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
BingPreview Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 70 / Win 10RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 80 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 31.3.0 ESR / Win 7RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 73 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Googlebot Feb 2018RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
IE 11 / Win 7  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 8.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 16 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 18 / Win 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 13 / Win Phone 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 8u161RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 11.0.3RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 12.0.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.1l  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2s  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.0k  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.1c  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / OS X 10.9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / iOS 8.4  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / OS X 10.10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 9 / iOS 9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.1 / iOS 12.3.1  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Apple ATS 9 / iOS 9  RRSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015RSA 2048 (SHA256)  TLS 1.2TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
# Not simulated clients (Protocol mismatch)
Android 2.3.7   No SNI 2Protocol mismatch (not simulated)
Android 4.0.4Protocol mismatch (not simulated)
Android 4.1.1Protocol mismatch (not simulated)
Android 4.2.2Protocol mismatch (not simulated)
Android 4.3Protocol mismatch (not simulated)
Baidu Jan 2015Protocol mismatch (not simulated)
IE 6 / XP   No FS 1   No SNI 2Protocol mismatch (not simulated)
IE 7 / VistaProtocol mismatch (not simulated)
IE 8 / XP   No FS 1   No SNI 2Protocol mismatch (not simulated)
IE 8-10 / Win 7  RProtocol mismatch (not simulated)
IE 10 / Win Phone 8.0Protocol mismatch (not simulated)
Java 6u45   No SNI 2Protocol mismatch (not simulated)
Java 7u25Protocol mismatch (not simulated)
OpenSSL 0.9.8yProtocol mismatch (not simulated)
Safari 5.1.9 / OS X 10.6.8Protocol mismatch (not simulated)
Safari 6.0.4 / OS X 10.8.4  RProtocol mismatch (not simulated)
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.


Protocol Details
DROWNUnable to perform this test due to an internal error.
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN website here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
INTERNAL ERROR: connect timed out
INTERNAL ERROR: connect timed out
Secure RenegotiationSupported
Secure Client-Initiated RenegotiationYes
Insecure Client-Initiated RenegotiationNo
BEAST attackMitigated server-side (more info)  
POODLE (SSLv3)No, SSL 3 not supported (more info)
POODLE (TLS)No (more info)
Zombie POODLENo (more info)   TLS 1.2 : 0xc013
GOLDENDOODLENo (more info)   TLS 1.2 : 0xc013
OpenSSL 0-LengthNo (more info)   TLS 1.2 : 0xc013
Sleeping POODLENo (more info)   TLS 1.2 : 0xc013
Downgrade attack preventionUnknown (requires support for at least two protocols, excl. SSL2)
SSL/TLS compressionNo
RC4No
Heartbeat (extension)No
Heartbleed (vulnerability)No (more info)
Ticketbleed (vulnerability)No (more info)
OpenSSL CCS vuln. (CVE-2014-0224)No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107)
No (more info)
ROBOT (vulnerability)No (more info)
Forward SecrecyYes (with most browsers)   ROBUST (more info)
ALPNNo
NPNNo
Session resumption (caching)Yes
Session resumption (tickets)No
OCSP staplingNo
Strict Transport Security (HSTS)Yes
max-age=31536000;includeSubdomains; preload
HSTS PreloadingNot in: Chrome  Edge  Firefox  IE 
Public Key Pinning (HPKP)No (more info)
Public Key Pinning Report-OnlyNo
Public Key Pinning (Static)Unknown
Long handshake intoleranceNo
TLS extension intoleranceNo
TLS version intoleranceNo
Incorrect SNI alertsNo
Uses common DH primesNo, DHE suites not supported
DH public server param (Ys) reuseNo, DHE suites not supported
ECDH public server param reuseNo
Supported Named Groupssecp256r1, x25519, secp384r1 (server preferred order)
SSL 2 handshake compatibilityYes


HTTP Requests
1 https://gcp.nat.gov.tw/  (HTTP/1.1 200 OK)


Miscellaneous
Test dateFri, 24 Feb 2023 23:28:23 UTC
Test duration386.634 seconds
HTTP status code200
HTTP server signature-
Server hostname210-241-69-200.hinet-ip.hinet.net


SSL Report v2.1.10


********************************************************************************

看似正常。 


(完)

沒有留言:

張貼留言