Why insecurity not found here? avast! let us go there without any alerts!

[polonus]

See: http://app.webinspector.com/public/reports/show_website?site=https%3A%2F%2Fwebmail.tcs.com
Invalid SSL Certificate. Found by Detection Engine
What about this? SSL Configuratie Checker: https://sslcheck.globalsign.com/nl/sslcheck?host=webmail.tcs.com#
several issues found.
Security Headers: Insecure: cache-control     x-content-type-options  x-xss-protection   x-frame-options   x-content-security-policy
Header Not Returned
Page meta security headers: x-content-security policy and cache-control insecure

_TCSLoginUserForm  HTML form insecure

One can get serious warnings in the browser, more vulnerable site to dDos attacks, seesions vulnerable to BEAST attacks,
server config with weak coding suites, OCSP stapling not configured - privacy issues may arise.
Also see: https://www.sslcertificaten.nl/SSLCheck?domain=webmail.tcs.com
Why does not avast alert when going there, nor does Google safebrowsing! in Google Chrome!

I like to hear some bells ring here, as firefox does not let me go there, report SSL is broken and Calomel also give a red warning!

polonus

[polonus]

And when you visit there other than with a firefox browser, you do not get any wiser here: http://www.webutations.net/go/review/webmail.tcs.com
Here we come to the same insecure conclusions: http://www.ssltools.com/certificate_lookup/webmail.tcs.com
Why are they comparing here: http://iloginto.com/tcs-webmail-login/
Can you trust this Mumbai webmail?

pol

P.S.
The mumbai webmail we found insecure still has PFS -Perfected Forward Secrecy, while for instance http://mail.myaccess.ca/ does not have PFS configured    furthermore that seems OK there: http://ssltools.com/certificate_lookup/mail.myaccess.ca  & https://sslcheck.globalsign.com/nl/sslcheck?host=mail.myaccess.ca#65.87.230.25

But is a property of an SSL connection which ensures that previously recorded encrypted traffic cannot be easily decrypted if the SSL private key later becomes available - for example, as a result of a court order, social engineering, an attack against the website or cryptanalysis. So why that Canadian webmail does not have that?

Damian

[polonus]

Why the checks could mean an insecurity as such and could be hijacked by attackers can be read here: http://www.computerworld.com/s/article/9224078/Google_Chrome_will_no_longer_check_for_revoked_SSL_certificates_online
It is also why Google Chrome decided to discontinue these OCSP checks in their browser:

http://www.computerworld.com/s/article/9224078/Google_Chrome_will_no_longer_check_for_revoked_SSL_certificates_online

"On the other end the user's privacy may be at stake"("" remark by me, pol)

polonus