SSL Certificate Analysis for mail.latino.aol.com - Security Grade & TLS Configuration

Open Cached · just now

91/100 SECURITY SCORE

Certificate Information

Subject

C=US, ST=New York, L=New York, O=Yahoo Holdings Inc., CN=api.push.mail.aol.com

Issuer

C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA

Valid From

September 18, 2025

Valid Until

March 11, 2026 114 days

Public Key

ECDSA 256 bit (P-256) Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

BC:FD:65:29:07:B9:42:18:BB:41:CA:B1:4A:DC:A4:C9:CC:F9:BC:A9:9F:A9:4A:4B:16:B9:FD:05:1E:AE:CA:3A

Alternative Names

27 domains

Security Configuration

TLS Protocols

TLS 1.0 TLS 1.1 TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

Warnings

• TLS 1.1 is deprecated and should be disabled
• TLS 1.0 is deprecated and should be disabled

HTTP Security Headers

Status

Strict-Transport-Security

Present

max-age=31536000

Content-Security-Policy

Good

base-uri; child-src; connect-src; +9 more

base-uri 'self';child-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com;connect-src 'self' https://geo.yahoo.com https://server-dev.comet.yahoo.com https://server.comet.yahoo.com https://ws.progrss.yahoo.com https://udc.yahoo.com https://jsapi.login.yahoo.com https://www.yahoo.com https://3p-udc.yahoo.com https://3p-geo.yahoo.com https://www.google-analytics.com https://*.aol.com https://guce.aol.com/ https://ups.analytics.yahoo.com https://api.taboola.com/1.2/json/taboola-usersync/user.sync https://fn.or.ipqualityscore.com https://fn.eu.ipqualityscore.com https://fn.us.ipqualityscore.com https://fn.nc.ipqualityscore.com https://or.ipqualityscore.com https://fn.us.ipqsnet.com https://fn.eu.ipqsnet.com https://fn.nc.ipqsnet.com https://dtproxy5.yahoo.nc.clients.ipqs.com https://dtproxy6.yahoo.nc.clients.ipqs.com https://dtproxy5.yahoo.eu.clients.ipqs.com https://dtproxy6.yahoo.eu.clients.ipqs.com https://dtproxy5.yahoo.or.clients.ipqs.com https://dtproxy6.yahoo.or.clients.ipqs.com https://s.yimg.com;default-src 'self' https://s.yimg.com https://s1.yimg.com https://login.yahoo.net;font-src https://s.yimg.com https://s1.yimg.com;frame-src 'self' https://login.yahoo.net https://s.yimg.com https://s1.yimg.com https://*.aol.com https://www.aol.co.uk https://www.aol.de https://gpt.mail.yahoo.net/sandbox https://guce.oath.com/ https://opus.analytics.yahoo.com https://tsdtocl.com/;img-src 'self' data: https://yahoo.com https://ct.yimg.com https://s.yimg.com https://s1.yimg.com https://tw.yimg.com https://geo.yahoo.com https://socialprofiles.zenfs.com https://*.wc.yahoodns.net https://beap-bc.yahoo.com https://ws.progrss.yahoo.com https://log.fc.yahoo.com https://*.ah.yahoo.com https://pr-bh.ybp.yahoo.com https://fbcdn.net https://scontent.xx.fbcdn.net https://z-m-scontent.xx.fbcdn.net https://graph.facebook.com https://data.mail.yahoo.com https://platform-lookaside.fbsbx.com https://www.yahoo.com https://3p-geo.yahoo.com https://www.googletagmanager.com;media-src https://*.ah.yahoo.com https://s.yimg.com;object-src 'none';report-uri https://csp.yahoo.com/beacon/csp?src=mbr_account;script-src 'unsafe-inline' 'self' https://s.yimg.com https://s1.yimg.com https://jsapi.login.yahoo.com https://fc.yahoo.com https://e2e.fc.yahoo.com https://server-dev.comet.yahoo.com https://server.comet.yahoo.com https://www.googletagmanager.com https://opus.analytics.yahoo.com/tag/opus.js https://consent.cmp.oath.com/cmp.js 'nonce-t3ikaWQjo1lXpuAl7zn1JOxP+22UnEFHCsI1nBc5Bp0UC516' ;style-src * 'unsafe-inline'

X-Frame-Options

Excellent

DENY

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Missing

Not configured

Recommendations

• Increase HSTS max-age to at least 1 year and add includeSubDomains
• Strengthen CSP by removing 'unsafe-eval'
• Consider adding Permissions-Policy to control browser features

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports