Many SSL sites remain insecure and vulnerable!

[polonus]

Read: http://www.biztechmagazine.com/article/2013/09/most-ssl-sites-remain-insecure-and-vulnerable  (Alexander Slagg = article author)
This information to a large extent still holds out for the 2015 situation. Why I stiil come accross so many https (SSL) stes which do not get a green padlock in the Google Chrome browser.
Here it is OK: https://shaaaaaaaaaaaaa.com/check/webmail.online.nl/
Still I do not get the Google Chrome green padlock. Intermediate certificate has a weak signature. -> https://www.ssllabs.com/ssltest/analyze.html?d=webmail.online.nl
Security Header Implementation Situation: https://www.uploady.com/#!/download/w~FwQhr0Ysa/haY1QZdsfzfE9olG
Minor warnings here: http://www.dnsinspect.com/online.nl/1422721624
ISP tracks with fonts.googleapis.com

  just a font service, but one that could, conceivably, be used for tracking.

Read on quote: http://www.telecomasia.net/blog/content/tangled-web-internet-tracking
link article author = Don Sambandaraksa

polonus

[polonus]

Also look here how Google checks the security of the padlock: https://support.google.com/chrome/answer/95617?hl=en
And the workings of interference here: https://community.webroot.com/t5/Webroot-SecureAnywhere-Complete/Webroot-Filtering-Extension-Chrome-no-more-Green-Padlocks/td-p/63825
How to avoid the yellow broken padlock symbol from appearing: http://www.ravenousravendesign.com/code/use-ssl-properly-avoid-yellow-lock-symbol/

polonus

[polonus]

Another test tool result: http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=www.mozilla.org
Result page view: https://www.uploady.com/#!/download/jlskjnLGKKg/yla7bNUDe6k~uTdf
Issues: http://www.dnsinspect.com/mozilla.org/1422739211
Cert Logik alerts to: Signature Algorithm   sha1WithRSAEncryption (SHA-1 is being phased out)
See: https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=www.mozilla.org&port=443
Vulnerable to POODLE attack: https://www.ssllabs.com/ssltest/analyze.html?d=www.mozilla.org
POODLE Scan: Scan results
WWW.MOZILLA.ORG:443 (63.245.215.20) - VULNERABLE
Security Header Check results page: https://www.uploady.com/#!/download/pbOUFnFNYx8/XXX5fzGT6DslWY9O
Confirmed: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Fwww.mozilla.org

Tracking: The following sites know that you visited this page. Click on a site to find out what more it knows about you.
-mozilla.net
-optimizely.com
-mozorg.cdn.mozilla.net is tracking with some safety measures taken.

Mozilla SSL 

polonus

[polonus]

The following site gets a green padlock, but certainly has issues, poodle included.

Re: http://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=aaa.mzh.nl
Re: http://www.dnsinspect.com/mzh.nl/1422742084
Re: https://ssl.trustwave.com/support/support-certificate-analyzer.php?address=www.mozilla.org&port=443
Re: https://www.ssllabs.com/ssltest/analyze.html?d=aaa.mzh.nl
and https://sslcheck.globalsign.com/nl/sslcheck?host=aaa.mzh.nl#89.188.25.137
Re: http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Faaa.mzh.nl%2Fvpn%2Ftmindex.html

polonus

[ehmen]

Whoever uses Chrome version 40 and above is immune to the SSL vulnerability, since Chrome removed it.

http://venturebeat.com/2015/01/21/chrome-40-launches-with-npapi-plugins-blocked-by-default-removes-ssl-3-0-completely/
http://www.zdnet.com/article/chrome-set-to-disable-and-remove-sslv3-in-upcoming-releases/

[polonus]

Hi ehmen,

That is a good sign, but also webmasters and website hosters should get their configurations like it shopuld.
Alas I haven't seen any without errors, flaws or not using best policy.

polonus

[ehmen]

but also webmasters and website hosters should get their configurations like it shopuld.

Agreed 100%.
But at least those using Chrome v40 will be immune and won't suffer due to a webmasters negligence.
Alas, many a webmaster and hoster isn't as concerned with cyber-security as need be.