We all know what a SSL cert is, right? Well then why are most certs so poorly implemented? I think the problem lies with most system administrators getting the cert at the last minute (when users report seeing an expired cert on the site) and sticking it in. Often though, several weak ciphers are allowed. I assume that everything below 128 bit encryption is a weak cipher (and hopfully you do too)
Anyways, here are a few tools to check how the SSL encryption of your site looks to hackers:
- ServerSniff
- SSLDigger
Good luck! And have fun!
Oh and if you want to check out the remediation for this, here are some links coutesy of Dimitrios Petropoulos (on the owasp list):
IIS:
http://support.microsoft.com/?kbid=245030
http://support.microsoft.com/default.aspx?scid=kb;en-us;187498
Apache:
http://httpd.apache.org/docs-2.0/mod/mod\_ssl.html#sslciphersuite
IBM HTTP Server:
http://www-306.ibm.com/software/webservers/httpservers/doc/v1312/ibm/9acdssl.htm(look for SSLVersion and SSLCipherSpec)
iPlanet v6:
http://docs.sun.com/source/816-5682-10/esecurty.htm#1008479