Devrim: Since we are on the topic of security with 2 factor auth (I just got the email), I noticed GoG is using a weak cipher and key exchange combo. (no forward secrecy, SHA1 signature etc.).
Would be nice if someone could take a look at it. I noticed becase I disabled all weak ciphers in Firefox and Firefox refused to load GoG.
Thanks.
I checked about a week ago and they got an "A" rating on SSL Pulse so if that's true it would seem to be a regression. Testing again right now...
Update: I'm getting an "A" class rating for all GOG's servers here still. Disabling the various insecure "compatibility" ciphers shouldn't have an effect on loading GOG's website with Firefox on a modern OS. Perfect forward secrecy is working fine here from what I can see:
Protocol Details
DROWN (experimental) No, server keys and hostname not seen elsewhere with SSLv2
(1) For a better understanding of this test, please read this longer explanation
(2) Key usage data kindly provided by the Censys network search engine; original DROWN test here
(3) Censys data is only indicative of possible key and certificate reuse; possibly out-of-date and not complete
Secure Renegotiation Supported
Secure Client-Initiated Renegotiation No
Insecure Client-Initiated Renegotiation No
BEAST attack Not mitigated server-side (more info) TLS 1.0: 0xc014
POODLE (SSLv3) No, SSL 3 not supported (more info)
POODLE (TLS) No (more info)
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported (more info)
SSL/TLS compression No
RC4 No
Heartbeat (extension) Yes
Heartbleed (vulnerability) No (more info)
OpenSSL CCS vuln. (CVE-2014-0224) No (more info)
OpenSSL Padding Oracle vuln.
(CVE-2016-2107) No (more info)
Forward Secrecy With modern browsers (more info)
ALPN No
NPN Yes spdy/3.1 http/1.1
Session resumption (caching) Yes
Session resumption (tickets) Yes
OCSP stapling No
Strict Transport Security (HSTS) No
HSTS Preloading Not in: Chrome Edge Firefox IE Tor
Public Key Pinning (HPKP) No
Public Key Pinning Report-Only No
Long handshake intolerance No
TLS extension intolerance No
TLS version intolerance No
Incorrect SNI alerts No
Uses common DH primes No
DH public server param (Ys) reuse No
SSL 2 handshake compatibility Yes
Miscellaneous
Test date Sun, 16 Oct 2016 01:21:19 UTC
Test duration 141.739 seconds
HTTP status code 301
HTTP forwarding
http://www.gog.com PLAINTEXT
HTTP server signature nginx
Server hostname host-193-59-178-35.gog.com