www.htmlyse.com - Home

Test DNS, SSL/TLS, HTTP and HTML

Test results for tls13.mitm.watch

Scanned on: Sat Oct 27 11:26:25 2018 GMT. Tested in 436 seconds

DNS Report

Name TTL Type Data
tls13.mitm.watch 299 A 159.203.57.164
tls13.mitm.watch 300 AAAA 2604:a880:cad:d0:0:0:22a8:6001

SSL/TLS Report

 Further IP addresses:   2604:a880:cad:d0::22a8:6001 
 A record via            supplied IP "159.203.57.164"
 rDNS (159.203.57.164):  --
 Service detected:       HTTP


 SSL/TLS protocols 
 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      not offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 TLS 1.3    not offered -- downgraded
 NPN/SPDY   h2, http/1.1 (advertised)
 ALPN/HTTP2 h2, http/1.1 (offered)

 SSL/TLS server implementation bugs 

 No bugs found.

 Cipher categories 

 NULL ciphers (no encryption)                  not offered (OK) -- NULL:eNULL
 Anonymous NULL Ciphers (no authentication)    not offered (OK) -- aNULL:ADH
 Export ciphers (w/o ADH+NULL)                 not offered (OK) -- EXPORT:!ADH:!NULL
 LOW: 64 Bit + DES encryption (w/o export)     not offered (OK) -- LOW:DES:!ADH:!EXP:!NULL
 Weak 128 Bit ciphers (SEED, IDEA, RC[2,4])    not offered (OK) -- MEDIUM:!aNULL:!AES:!CAMELLIA:!ARIA:!CHACHA20:!3DES
 Triple DES Ciphers (Medium)                   not offered (OK) -- 3DES:!aNULL:!ADH
 High encryption (AES+Camellia, no AEAD)       offered (OK) -- HIGH:!NULL:!aNULL:!DES:!3DES:!AESGCM:!CHACHA20:!AESGCM:!CamelliaGCM:!AESCCM8:!AESCCM
 Strong encryption (AEAD ciphers)              offered (OK) -- AESGCM:CHACHA20:AESGCM:CamelliaGCM:AESCCM8:AESCCM


 Robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA 
                              ECDHE-RSA-CHACHA20-POLY1305 
                              ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 


 Server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Cipher order
    TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA 
               ECDHE-RSA-DES-CBC3-SHA DES-CBC3-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 
               ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA 
               ECDHE-RSA-AES128-SHA AES256-SHA AES128-SHA 


 Server defaults (Server Hello) 

 TLS extensions (standard)    "next protocol/#13172" "session ticket/#35"
                              "renegotiation info/#65281" "status request/#5"
                              "application layer protocol negotiation/#16"
 Session Ticket RFC 5077 hint (no lifetime advertised)
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        033057720F373B830D5B197F4763BF233A96 / SHA1 D7F3D5AB296C72228B88D21800209EEB6C5EE680
                              SHA256 3598F9BE2F1A706649A5E44A3009506AB2EF2C834D9B5ECA2021F8B4D3FCCC51
 Common Name (CN)             tls13.mitm.watch
 subjectAltName (SAN)         tls13.mitm.watch 
 Issuer                       Let's Encrypt Authority X3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN and CN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 Certificate Validity (UTC)   56 >= 30 days (2018-09-23 15:59 --> 2018-12-22 14:59)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://ocsp.int-x3.letsencrypt.org
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    not offered
 Certificate Transparency     yes (certificate extension)


 HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              +1 sec from localtime
 Strict Transport Security    not offered
 Public Key Pinning           --
 Server banner                (no "Server" line in header, interesting!)
 Application banner           --
 Cookie(s)                    (none issued at "/")
 Security headers             --
 Reverse Proxy banner         --


 SSL/TLS vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Ticketbleed (CVE-2016-9244), experiment.  not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=3598F9BE2F1A706649A5E44A3009506AB2EF2C834D9B5ECA2021F8B4D3FCCC51
                                           could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected
 BEAST (CVE-2011-3389)                     no SSL3 or TLS1 (OK)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Tested 364 ciphers, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH 256   3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA                
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      


 Ciphers per protocol, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
-----------------------------------------------------------------------------------------------------------------------------
TLS 1.3  
TLS 1.2  
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH 256   3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA                
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
TLS 1.1  
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       
 xc012   ECDHE-RSA-DES-CBC3-SHA            ECDH 256   3DES        168      TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA                
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA                      
TLS 1  
SSLv3  
SSLv2  

 Client simulations 

 Android 2.3.7                No connection
 Android 4.0.4                No connection
 Android 4.1.1                No connection
 Android 4.2.2                No connection
 Android 4.3                  No connection
 Android 4.4.2                TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 5.0.0                TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 6.0                  TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Android 7.0                  TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Chrome 27 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 28 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 29 Win 7              TLSv1.1 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 30 Win 7              TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Chrome 31 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 32 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 33 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 34 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 35 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 36 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 37 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 39 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 40 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 42 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 43 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 45 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 47 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 48 OS X               TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 49 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 49 XP SP3             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Chrome 50 Win 7              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Chrome 51 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Chrome 57 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Chrome 65 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Chrome 69 Win 7              TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Chrome 70 Win 10             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Firefox 10.0.12 ESR Win 7    No connection
 Firefox 17.0.7 ESR Win 7     No connection
 Firefox 21 Fedora 19         No connection
 Firefox 21 Win 7             No connection
 Firefox 22 Win 7             No connection
 Firefox 24.2.0 ESR Win 7     No connection
 Firefox 24 Win 7             No connection
 Firefox 26 Win 8             No connection
 Firefox 27 Win 8             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 29 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 30 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 31.3.0 ESR Win 7     TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 31 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 32 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 34 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 35 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 37 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 39 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 41 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 42 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 44 OS X              TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 45 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 46 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 47 Win 7             TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Firefox 49 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Firefox 49 XP SP3            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Firefox 53 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Firefox 59 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Firefox 62 Win 7             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 IE 6 XP                      No connection
 IE 7 Vista                   No connection
 IE 8-10 Win 7                No connection
 IE 8 Win 7                   No connection
 IE 8 XP                      No connection
 IE 9 Win 7                   No connection
 IE 10 Win Phone 8.0          No connection
 IE 11 Win 7                  TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 8.1                TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1          TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win Phone 8.1 Update   TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 IE 11 Win 10                 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 IE 11 Win 10 Preview         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 12 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 13 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 13 Win Phone 10         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Edge 15 Win 10               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Opera 12.15 Win 7            No connection
 Opera 15 Win 7               TLSv1.1 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Opera 16 Win 7               TLSv1.1 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Opera 17 Win 7               TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 5.1.9 OS X 10.6.8     No connection
 Safari 5 iOS 5.1.1           TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 6.0.4 OS X 10.8.4     No connection
 Safari 6 iOS 6.0.1           TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 7 iOS 7.1             TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 7 OS X 10.9           TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 8 iOS 8.0 Beta        TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 8 iOS 8.4             TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 8 OS X 10.10          TLSv1.2 ECDHE-RSA-AES256-SHA, 256 bit ECDH (P-256)
 Safari 9 iOS 9               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 9 OS X 10.11          TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 10 iOS 10             TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Safari 10 OS X 10.12         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Tor 17.0.9 Win 7             No connection
 Apple ATS 9 iOS 9            TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Baidu Jan 2015               No connection
 BingBot Dec 2013             No connection
 BingPreview Dec 2013         No connection
 BingPreview Jun 2014         No connection
 BingPreview Jan 2015         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Googlebot Oct 2013           No connection
 Googlebot Jun 2014           No connection
 Googlebot Feb 2015           TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Googlebot Feb 2018           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Yahoo Slurp Oct 2013         No connection
 Yahoo Slurp Jun 2014         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Yahoo Slurp Jan 2015         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 YandexBot 3.0                No connection
 YandexBot May 2014           No connection
 YandexBot Sep 2014           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 YandexBot Jan 2015           TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    No connection
 Java 8b132                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 8u111                   TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 8u31                    TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 9.0.4                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 0.9.8y               No connection
 OpenSSL 1.0.1h               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.1l               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)


Security HTTP Headers

HTTP Strict Transport Security (HSTS)   not offered (NOT ok)
Content Security Policy (CSP)           not offered (NOT ok)
X-Frame-Options                         not offered (NOT ok)
X-XSS-Protection                        not offered
X-Content-Type-Options                  not offered
Expect-CT                               not offered
Referrer Policy                         not offered
Feature Policy                          not offered
Web Server Version Disclosure           not offered (OK)
Web Application Disclosure              not offered (OK)
HTTP Public Key Pins (HPKP)             not offered, deprecated

Connection Performance
Keep Alive Connection                   not offered
Content Encoding (Compression)          offered (Gzip) OK, for static pages or if no secrets in the page

Raw HTTP Headers

HTTP/1.1 200 OK
Accept-Ranges bytes
Content-Encoding gzip
Content-Type text/html; charset=utf-8
Date Sat, 27 Oct 2018 11:19:15 GMT
Last-Modified Thu, 28 Dec 2017 18:50:01 GMT

Cleaned HTML

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>TLS 1.3 middleboxes test</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link rel="stylesheet" href="css/styles.css" type="text/css" />
<link rel="stylesheet" href="css/responsive.css" type="text/css" />
<link href="https://fonts.googleapis.com/css?family=Open+Sans:400,600" rel="stylesheet" />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/font-awesome/4.4.0/css/font-awesome.min.css" />
</head>
<body>
<div class="cf-gradient"></div>
<div class="content main-hover-box">
<div class="cf-gradient2"></div>
<div class="hover-box box-content">
<h1>TLS 1.3 middleboxes test</h1>
<p>This page performs some tests to check for middlebox interference with TLS 1.3. For that it requires Adobe Flash and TCP port 843 to be open. If this is not the case, all tests will fail with <em>N/A</em>.</p>
<div id="initial-info">
<p><label><input id="verbose" class="confirm-checkbox" type="checkbox" checked="checked" autocomplete="off" /> Enable additional MITM detection, this requires the server to record test results.</label> <span class="learnmore" onclick="extratext()">Learn More</span></p>
<div id="hidden-text" class="hidden">
<p>The purpose of this tool is to gather insight in potential failure modes of TLS 1.3. We aim for full transparency in what we do, data will only be collected once the test starts.</p>
<h3>Information that we collect</h3>
<ul>
<li>IP address: used to learn what (mobile) networks or ISPs are problematic.</li>
<li>Result (pass/fail): whether a connection attempt succeeded and whether the response matches the expectation.</li>
<li>Contents of the simulated connection (TCP payload and session keys): this should normally have an exact match with the server view. A mismatch indicates potential issues.</li>
<li>User Agent (web browser version): allows tests to be discarded later in case we discover incompatibilities between a test and a browser.</li>
<li>If you choose to disable additional MITM detection, the above will not be collected and finer analysis is not possible. As a result the test report will be less informative.</li>
</ul>
<h3>Who are we</h3>
<p>This opensource project is built by <a href="https://www.cloudflare.com/">Cloudflare</a>. We help building a better (more secure) Internet and are involved in the development and deployment of TLS 1.3 at scale. To see the code or report issues, see this <a href="https://github.com/cloudflare/mitm.watch">Github</a> repository.</p>
<h3>What we are going to do with the data</h3>
<ul>
<li>Aggregate results, providing a summary for the public.</li>
<li>Help to make informed decisions in the development of the TLS 1.3 specification.</li>
<li>Analyze potential middlebox interference.</li>
<li>The raw data will be treated as confidential, but we may share (a subset of) it with other researchers for scientific purposes. This includes browser vendors who run similar tests.</li>
</ul>
</div>
<button type="button" class="btn-start" id="action-start">Start The Test</button></div>
<div id="status-text-booting">
<p><i class="fa fa-spinner fa-pulse fa-3x fa-fw" aria-hidden="true"></i> Loading libraries, please stand by...</p>
</div>
<h2 class="results-text">Results</h2>
<table id="results">
<thead>
<tr>
<th>TLS Version</th>
<th>IP Version</th>
<th>Status</th>
<th>Remark</th>
</tr>
</thead>
</table>
<div id="test-complete-message">
<p>Tests are complete. <button type="button" class="btn-restart" id="action-restart">Restart</button></p>
<p class="testid-reference">If you would like to refer to this test result, use test identifier <span id="testid"></span>.</p>
<p class="testid-unavailable">Additional MITM detection was disabled, so no test identifier is available. Restart the test and enable additional MITM detection if you need an identifier to report issues.</p>
</div>
<div id="flash-message">
<div class="flash-warning"><i class="fa fa-exclamation-circle" aria-hidden="true"></i></div>
<div class="flash-text">Adobe Flash is currently required for its Socket API. Please activate the Flash plugin below.</div>
<div class="flash-text2">Click and allow Flash to enable the tests.</div>
</div>
<div id="socketApi">Adobe Flash is required for this test, but not available. <a href="https://www.adobe.com/go/getflashplayer">Get it here</a></div>
</div>
</div>
<div class="footer">
<p class="footer-text">©2017 Cloudflare</p>
</div>
<script src="https://cdnjs.cloudflare.com/ajax/libs/swfobject/2.2/swfobject.js"></script>
<script>
<![CDATA[

// HACK: pretend to have a supported flash version
if (window.chrome) {
swfobject.ua.pv = [100, 0, 0];
}
// https://github.com/swfobject/swfobject/wiki/SWFObject-API
// Use dimensions 100x100 instead of 0x0 or else Chrome won't prompt for
// permission to use Flash
swfobject.embedSWF("socketapi.swf", "socketApi", "100", "100", "13", false, {},
{allowscriptaccess: "always"}, {}, null);

var jssock; // will be set by jssock.js
// Test State.
var TS_INIT = 0, TS_PENDING = 1, TS_RUNNING = 2, TS_COMPLETE;
var testState = TS_INIT;

var results = document.getElementById("results");
var tlsVersions = {
0x300: "SSL 3.0",
0x303: "TLS 1.2",
0x304: "TLS 1.3 (draft -22)"
};
var STATUS_OK = "OK", STATUS_NA = "N/A", STATUS_FAIL = "Fail";
var detectStatus = function(exp) {
if (!exp.Failed) {
return STATUS_OK;
} else if (exp.Result === "connection timed out") {
return STATUS_NA;
} else if (exp.Result === '[SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048"]') {
// Override error message to provide more useful feedback.
if (exp.IPv6) {
exp.Result = "Connection failed, perhaps port 843 is blocked or IPv6 is unsupported";
} else {
exp.Result = "Connection failed, perhaps port 843 is blocked or the network is unreachable";
}
return STATUS_NA;
} else {
return STATUS_FAIL;
}
};

var setTestState = function(state) {
if (state === testState) {
// nothing to do
return;
}

if (state !== TS_INIT) {
document.body.classList.add("test-active");
} else {
document.body.classList.remove("test-active");
}
if (state === TS_COMPLETE) {
document.body.classList.add("test-complete");
} else {
document.body.classList.remove("test-complete");
}
testState = state;
};
var startTests = function() {
var apiReady = document.body.classList.contains("booted");
var verbose = document.getElementById("verbose").checked;
console.log("startTests() - apiReady " + apiReady + ", state " + testState);
if (testState === TS_INIT) {
if (!apiReady) {
setTestState(TS_PENDING);
return;
}
} else if (testState === TS_PENDING) {
if (!apiReady) {
return;
}
} else {
// not allowed to start a new test while one is running.
return;
}
setTestState(TS_RUNNING);
jssock.StartTests(verbose);
if (verbose) {
document.body.classList.add("test-verbose");
} else {
document.body.classList.remove("test-verbose");
}
};
document.getElementById("action-start").onclick = startTests;
var restartTests = function() {
if (testState === TS_COMPLETE) {
var table = results.tBodies[0];
while (table.rows.length > 0) {
table.deleteRow(-1);
}
setTestState(TS_INIT);
}
};
document.getElementById("action-restart").onclick = restartTests;

// Transitions:
// (init) - jssock library not yet loaded
// booting - jssock library loaded, waiting for Flash
// booted - Flash ready.
var updateStatus = function(status) {
console.log("updateStatus(" + status + ")");
if (status === "booting") {
// script has loaded, waiting for Flash
setTimeout(function() {
if (document.body.classList.contains("booting")) {
document.body.classList.add("flash-please");
}
}, 1000);
document.body.classList.add("booting");
} else if (status === "booted") {
document.body.classList.remove("flash-please");
document.body.classList.remove("booting");
document.body.classList.add("booted");
// boot complete, run tests if it was requested by the user.
if (testState === TS_PENDING) {
startTests();
}
}
};
var parseTestIDFromDomain = function(domain) {
var reUUID = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i;
var match = reUUID.exec(domain);
return match ? match[0] : "";
};
var addExperiment = function(exp) {
if (results.tBodies.length === 0) {
results.createTBody();
}
var item = results.tBodies[0].insertRow();
item.className = "status-pending";
item.insertCell().textContent = tlsVersions[exp.Version];
item.insertCell().textContent = exp.IPv6 ? "IPv6" : "IPv4";
item.insertCell().textContent = "Pending";
item.insertCell(); // Description

// TODO remove this old Experiment structure and pass the identifier in a
// different way (e.g. at the end of tests).
document.getElementById("testid").textContent = parseTestIDFromDomain(exp.Domain);
};
var updateExperiment = function(i, exp) {
var row = results.tBodies[0].rows[i];
var status = detectStatus(exp);
row.cells[2].textContent = status;

var desc;
if (status == STATUS_FAIL) {
desc = exp.Result;
row.className = "status-fail";
} else if (status == STATUS_NA) {
desc = exp.Result;
row.className = "status-na";
} else if (exp.IsMitm) {
desc = "Communication succeeded, but interference by a MITM was detected";
row.className = "status-ok";
} else {
desc = "";
row.className = "status-ok";
}
row.cells[3].textContent = desc;
if (results.getElementsByClassName("status-pending").length === 0) {
setTestState(TS_COMPLETE);
}
};

function extratext() {
var element = document.getElementById("hidden-text");
element.classList.toggle("hidden");
}
]]>
</script>
<script>
<![CDATA[

// cache bump
var jssockClientVersion = "b2aff92fd5bc";
(function() {
var s = document.createElement("script");
s.src = "jssock.js?v=" + encodeURIComponent(jssockClientVersion);
document.body.appendChild(s);
}());
]]>
</script>
</body>
</html>

Warnings Errors and Accessibility

line 48 column 13 - Info: missing optional end tag </li>
line 50 column 13 - Info: missing optional end tag </li>
line 52 column 13 - Info: missing optional end tag </li>
line 55 column 13 - Info: missing optional end tag </li>
line 76 column 13 - Info: missing optional end tag </li>
line 77 column 13 - Info: missing optional end tag </li>
line 79 column 13 - Info: missing optional end tag </li>

Accessibility Checks:

line 37 column 9 - Access: [9.3.1.3]: <script> not keyboard accessible (onClick).
line 2 column 1 - Access: [4.3.1.1]: language not identified.
line 7 column 3 - Access: [6.1.1.1]: style sheets require testing (link).
line 8 column 3 - Access: [6.1.1.1]: style sheets require testing (link).
line 33 column 9 - Access: [2.1.1.5]: ensure information not conveyed through color alone (input).
line 33 column 9 - Access: [12.4.1.2]: associate labels explicitly with form controls (for).
line 98 column 9 - Access: [5.5.2.1]: <table> missing <caption>.
line 98 column 9 - Access: [5.5.1.1]: <table> missing summary.
line 150 column 1 - Access: [6.2.2.2]: text equivalents require updating (script).
line 150 column 1 - Access: [6.3.1.1]: programmatic objects require testing (script).
line 150 column 1 - Access: [8.1.1.1]: ensure programmatic objects are accessible (script).
line 150 column 1 - Access: [7.1.1.1]: remove flicker (script).
line 150 column 1 - Access: [2.1.1.4]: ensure information not conveyed through color alone (script).
line 150 column 1 - Access: [1.1.10.1]: <script> missing <noscript> section.
line 151 column 1 - Access: [6.2.2.2]: text equivalents require updating (script).
line 151 column 1 - Access: [6.3.1.1]: programmatic objects require testing (script).
line 151 column 1 - Access: [8.1.1.1]: ensure programmatic objects are accessible (script).
line 151 column 1 - Access: [7.1.1.1]: remove flicker (script).
line 151 column 1 - Access: [2.1.1.4]: ensure information not conveyed through color alone (script).
line 151 column 1 - Access: [1.1.10.1]: <script> missing <noscript> section.
line 322 column 1 - Access: [6.2.2.2]: text equivalents require updating (script).
line 322 column 1 - Access: [6.3.1.1]: programmatic objects require testing (script).
line 322 column 1 - Access: [8.1.1.1]: ensure programmatic objects are accessible (script).
line 322 column 1 - Access: [7.1.1.1]: remove flicker (script).
line 322 column 1 - Access: [2.1.1.4]: ensure information not conveyed through color alone (script).
line 322 column 1 - Access: [1.1.10.1]: <script> missing <noscript> section.
Info: Document content looks like HTML5
No warnings or errors were found.