SSL Certificate Analysis for richark.com.tw - Security Grade & TLS Configuration

SSL Verification Bypassed

The server's SSL certificate could not be verified. The analysis was completed using insecure mode. Data may be less reliable.

Reason:

Invalid Certificate - the server's certificate is malformed or invalid

Open Cached · just now

47/100 SECURITY SCORE

Certificate Information

Subject

CN=richark.com.tw

Issuer

CN=richark.com.tw

Valid From

May 28, 2012

Valid Until

May 26, 2022 Expired

Public Key

RSA 2048 bit Adequate

Signature Algorithm

SHA1-RSA Weak

SHA-256 Fingerprint

93:7F:49:FF:AD:DA:A0:91:C5:D9:A0:84:89:ED:E2:2F:DF:B7:96:7D:0F:D5:FF:63:2A:72:EB:35:21:47:B9:68

Security Configuration

TLS Protocols

TLS 1.0 TLS 1.1 TLS 1.2

Forward Secrecy

Limited (Check cipher configuration)

Warnings

• TLS 1.3 is not supported (recommended)
• TLS 1.1 is deprecated and should be disabled
• TLS 1.0 is deprecated and should be disabled

HTTP Security Headers

Status

Strict-Transport-Security

Missing

Not configured

Content-Security-Policy

Missing

Not configured

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Present

same-origin

Permissions-Policy

Present

accelerometer=(),browsing-topics=(),camera=(),clipboard-read=(),clipboard-write=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=()

Recommendations

• Add Strict-Transport-Security header with max-age of at least 1 year
• Add Content-Security-Policy header to prevent XSS attacks

CAA Records (Certificate Authority Authorization)

CAA Records

Configured (Restricts certificate issuance)

Current Issuer

Not Authorized (Potential misconfiguration)

Authorized CAs

comodoca.com digicert.com ; cansignhttpexchanges=yes letsencrypt.org pki.goog ; cansignhttpexchanges=yes ssl.com

Wildcard CAs

ssl.com comodoca.com digicert.com ; cansignhttpexchanges=yes letsencrypt.org pki.goog ; cansignhttpexchanges=yes

CAA Issues

• CRITICAL: Current certificate issuer 'CN=richark.com.tw' is NOT authorized by CAA records. Authorized CAs: comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, ssl.com

Recommendations

• Consider using critical flag (flags=128) for stricter CAA enforcement
• You have authorized 5 CAs - consider limiting to only the CAs you actively use
• Consider adding 'iodef' records to receive notifications about unauthorized certificate issuance attempts