Noteably: Additionally, just because a test shows in red does not mean that the security solution SSL scanning is defective. You have to specifically run the test to determine if the product detects the condition being tested. Finally, you might fail certain tests because of the browser you are using. I failed the "dl_small_subgroup" and "dh_composite" tests in IE11. Finally, the badssl.com test was specifically designed to test Chrome SSL configuration. So how accurate it is against other browsers remains to be determined. -EDIT- For example, the pinning test performed on the badssl web site is for HPKP pinning: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning So I do question CERT's recommendation to use of a SSL test that does not apply to all browsers. I also question the motivation behind this alert issue. SSL protocol scanning has been a topic for at least two years. However, the recent WikiLeaks CIA revelations include a recommendation to their agents not to use SSL/TLS encryption because it is insecure. I find it a bit too coincidental that this CERT report was released a few days thereafter. My take is it's a diversion to shift emphasis away from the real issue which is fixing the insecurities in the SSL/TLS encryption protocol by again bashing the AV vendors as somehow part of the issue. This also lines up nicely with Google's and Mozilla's goal of eliminating AV vendor SSL/TLS protocol scanning altogether since it costs them more in developmental costs.
