Hardenize Report: admin.ch

Web Security Overview

HTTPS

Web sites need to use encryption to help their visitors know they're in the right place, as well as provide confidentiality and content integrity. Sites that don't support HTTPS may expose sensitive data and have their pages modified and subverted.
There are issues with this site's HTTPS configuration.

For all sites VERY IMPORTANT medium EFFORT

HTTPS Redirection

To deploy HTTPS properly, web sites must redirect all unsafe (plaintext) traffic to the encrypted variant. This approach ensures that no sensitive data is exposed and that further security technologies can be activated.

For all sites VERY IMPORTANT low EFFORT

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTPS extension that instructs browsers to remember sites that use encryption and enforce strict security requirements. Without HSTS, active network attacks are easy to carry out.
There are issues with this site's HSTS configuration.

For important sites VERY IMPORTANT medium EFFORT

HSTS Preloaded

HSTS Preloading is informing browsers in advance about a site's use of HSTS, which means that strict security can be enforced even on the first visit. This approach provides best HTTPS security available today.

For important sites VERY IMPORTANT medium EFFORT

Content Security Policy

Content Security Policy (CSP) is an additional security layer that enables web sites to control browser behavior, creating a safety net that can counter attacks such as cross-site scripting.

For important sites IMPORTANT high EFFORT

Email Security Overview

STARTTLS

All hosts that receive email need encryption to ensure confidentiality of email messages. Email servers thus need to support STARTTLS, as well as provide decent TLS configuration and correct certificates.
There are issues with this site's SMTP configuration.

For all sites VERY IMPORTANT low EFFORT

SPF

Sender Policy Framework (SPF) enables organizations to designate servers that are allowed to send email messages on their behalf. With SPF in place, spam is easier to identify.

For important sites IMPORTANT low EFFORT

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism that allows organizations to specify how unauthenticated email (identified using SPF and DKIM) should be handled.

For important sites IMPORTANT low EFFORT

DNS Zone

The global DNS infrastructure is organized as a series of hierarchical DNS zones. The root zone hosts a number of global and country TLDs, which in turn host further zones that are delegated to their customers. Each organization that controls a zone can delegate parts of its namespace to other zones. In this test we perform detailed inspection of a DNS zone, but only if the host being tested matches the zone.

Test passed

Everything seems to be well configured. Well done.

Nameserver Names

Nameservers can be referred to by name and by address. In this section we show the names, which can appear in the NS records, the referrals from the parent zone, and the SOA record. In some situations, servers from the parent zone respond authoritatively, in which case we will include them in the list as well.

Nameserver	Operational	IPv4	IPv6	Sources
ins1.admin.ch. PRIMARY 162.23.37.16				REFERRAL NS SOA
ins2.admin.ch. 162.23.37.160				REFERRAL NS
ins3.admin.ch. 212.103.72.85 2a00:c38:2:28:0:ffff:d467:4855				REFERRAL NS

Nameserver Addresses

This section shows the configuration of all discovered nameservers by their IP address. To find all applicable nameservers, we inspect the parent zone nameservers for names and glue and then the tested zone nameservers for NS records. We then resolve all discovered names to IP addresses. Finally, we test each address individually.

Nameserver	Sources	Payload Size
162.23.37.16 PRIMARY ins1.admin.ch. PTR: ins1.admin.ch.	NAME, GLUE	1232
162.23.37.160 ins2.admin.ch. PTR: ins2.admin.ch.	NAME, GLUE	1232
212.103.72.85 ins3.admin.ch. PTR: ins3.admin.ch.	NAME, GLUE	1232
2a00:c38:2:28:0:ffff:d467:4855 ins3.admin.ch.	NAME, GLUE	1232

Start of Authority (SOA) Record

Start of Authority (SOA) records contain administrative information pertaining to one DNS zone, especially the configuration that's used for zone transfers between the primary nameserver and the secondaries. Only one SOA record should exist, with all nameservers providing the same information.

The domain name of the primary nameserver for the zone. Also known as MNAME.Primary nameserver	ins1.admin.ch.
Email address of the persons responsible for this zone. Also known as RNAME.Admin email	dnsmaster.admin.ch.
Zone serial or version number.Serial number	18760270
The length of time secondary nameservers should wait before querying the primary for changes.Refresh interval	10,800 seconds (about 3 hours)
The length of time secondary nameservers should wait before querying an unresponsive primary again.Retry interval	600 seconds (about 10 minutes)
The length of time after which secondary nameservers should stop responding to queries for a zone, assuming no updates were obtained from the primary.Expire interval	604,800 seconds (about 7 days)
TTL for purposes of negative response caching. Negative cache TTL	600 seconds (about 10 minutes)
Time To Live (TTL) indicates for how long a record remains valid. SOA record TTL	3,600 seconds (about 1 hour)

Analysis

Nameserver addresses should have reverse names

According to RFC 1912, having reverse DNS configuration in place for every nameserver is a best practice that maximizes the chances of correct DNS operation. Further, some anti-spam techniques use reverse name resolution to allow traffic.

Nameserver A and AAAA records should have matching reverse records

According to RFC 1912, nameserver's PTR records must match their A and AAAA records to ensure maximum interoperability.

Improve IPv6 support

The Internet is in a slow transition to supporting IPv6 widely. Although at this time it is expected that most recursive DNS servers will use IPv4, adding support for IPv6 will enable transition to networks that use IPv6 exclusively.

No problems detected with the zone configuration

Excellent. This DNS zone is in a good working order. No problems detected.

Backing DNS Queries

Below are all DNS queries we submitted during the zone inspection.

	ID	Server	Transport	Question Name	Type	Status

DNS Records

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

Test passed

Everything seems to be well configured. Well done.

DNS Records

These are the results of individual DNS queries against your nameserver for common resource record types.

Name	TTL	Type	Data
admin.ch.	3600	A	162.23.130.190
www.admin.ch.	600	CNAME	d23vgpvjcg53nf.cloudfront.net.
d23vgpvjcg53nf.cloudfront.net.	60	A	108.139.47.26
d23vgpvjcg53nf.cloudfront.net.	60	A	108.139.47.96
d23vgpvjcg53nf.cloudfront.net.	60	A	108.139.47.104
d23vgpvjcg53nf.cloudfront.net.	60	A	108.139.47.49
admin.ch.	3600	CAA	0 issue "letsencrypt.org"
admin.ch.	3600	CAA	0 issue "quovadisglobal.com"
admin.ch.	3600	CAA	0 issue "awstrust.com"
admin.ch.	3600	CAA	0 issue "swisssign.com"
admin.ch.	3600	CAA	0 issue "comodoca.com"
admin.ch.	3600	CAA	0 iodef "mailto:hostmaster@admin.ch"
admin.ch.	3600	CAA	0 issue "digicert.com"
admin.ch.	86400	DNSKEY	256 3 8 AwEAAcs09VfJ857ULdVL891j/w60hZ6/eLQwqmj8T66UZ4b7E7FY2gBFrQCZ8QlVfw6LohnXqAAMdy8wg0zlmVQRbCY+NLx2+GIU2kxFAFQdzP1Yfz3xXxKttFrzF5eKADxjllcJpc0MxbpvvVG7Sb7S1alxHJ4HZPFn/l1cEpS+H2DZ
admin.ch.	86400	DNSKEY	256 3 8 AwEAAcnd3vIDSJ8+2D2Jz1nSB4vrhy5CDOmC1SH30WnTS8UHo1bwJbmYWzAG2/iICIE4hNkIILqNS8g+tM0i4mnsd8xX0jQuk/AKHXrGPlSrvbvnINW5sBP+xTPMmv5ipbP7CeCua/VxCULlpE/lxeUuBzFAwCGztLMxQLkp657I5DZp
admin.ch.	86400	DNSKEY	257 3 8 AwEAAbEOw2+A7RvHADE6ZpOWSi4EsCHDo060PRWTDHr4V1y/QfNpEcquVAczvoAt9lq6b3Og+7ufEfcZZHKKyu+PjjzwnuHw2rhwZNyQqpmexlTeZf5F0V91gACuF0Rlw9Fd+MjbBuYOoIfitpmIihAy2PzC6SMMq5fvNsa7yKNbJamnO8l9ykuZSJADEB4D1tTcI3c8Dh+yE1vNqtkxdiezKa1QN+MYOMH0buZh9q4QUPdPD0T22eYI85Q+CYnkgC7Q1xU3ET++n80auEzzeKMZL93jMtKH1IsJ+PDyis47c6cPT+ABx9ViQYW4ydq+6sBg8eM0ZfVnYZ0OCEvJFwEB/bk=
admin.ch.	600	MX	10 mx01.mail.admin.ch.
admin.ch.	600	MX	10 mx03.mail.admin.ch.
admin.ch.	600	MX	10 mx02.mail.admin.ch.
admin.ch.	600	MX	10 mx04.mail.admin.ch.
admin.ch.	600	MX	10 mailgate1.admin.ch.
admin.ch.	600	MX	10 mailgate2.admin.ch.
admin.ch.	3600	NS	ins3.admin.ch.
admin.ch.	3600	NS	ins1.admin.ch.
admin.ch.	3600	NS	ins2.admin.ch.
admin.ch.	3600	SOA	ins1.admin.ch. dnsmaster.admin.ch. 18760270 10800 600 604800 600
_sipfederationtls._tcp.admin.ch.	3600	SRV	0 0 5061 sip.admin.ch.
admin.ch.	3600	TXT	"cisco-ci-domain verification=27ef6be0682bd1449e9a754a29ee4531b654161aa2067287c0c83384fcbe752c"
admin.ch.	3600	TXT	"whjcx2jzjm1p4pgd84r95dvrg9s5kb55"
admin.ch.	3600	TXT	"v=spf1 redirect=_spfgroupa.admin.ch"
admin.ch.	3600	TXT	"QuoVadis=3b7b5d30-e0c0-4ab9-8674-bce06b285d49"
admin.ch.	3600	TXT	"km9qf5y51gmfl206clwfh7hn3phn7xhj"
admin.ch.	3600	TXT	"z3dwnqhmrr53fvbbnzfhp4hznl21vn0h"
admin.ch.	3600	TXT	"x6g9w8c6y57j55gskv6gdhb7pscv2996"
admin.ch.	3600	TXT	"9nrtt0bjs8rf6839ss271187v0b43wm4"
admin.ch.	3600	TXT	"MS=ms59193443"
admin.ch.	3600	TXT	"hgpmnjxq036b7lp8ntwk4t0rycnj769y"
admin.ch.	3600	TXT	"pbrfjk5hy2cs0bt9wp269h83nsz7vmpb"
admin.ch.	3600	TXT	"kzyjf4kzg5z7p1lk9by6r60qsv7mgjww"
admin.ch.	3600	TXT	"f8dbbsq5m9qt2j050z5lrs4x1sv4cs1l"
admin.ch.	3600	TXT	"swisssign-check=jo9AFIVVFC9qX0D69cCHlG7eHtdWG23jJzr3xPrMiU"
admin.ch.	3600	TXT	"QuoVadis=4c9a8d3e-bca6-4f1a-b6c9-7e1708ff44d6"
_dmarc.admin.ch.	3600	TXT	"v=DMARC1; p=quarantine; rua=mailto:dmarc.rua@admin.ch"

Backing DNS Queries

Below are all DNS queries we submitted while inspecting the resource records.

	ID	Server	Question Name	Type	Status

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Test passed

Everything seems to be well configured. Well done.

Analysis

DNSSEC is well configured

Good. This domain name has well-configured DNSSEC.

Useful DNSSEC Tools

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Test passed

Everything seems to be well configured. Well done.

CAA Policy Information

The DNS hostname where this policy is located.Policy host	admin.ch
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	digicert.com flags: 0
The iodef property specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.iodef	mailto:hostmaster@admin.ch flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	letsencrypt.org flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	quovadisglobal.com flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	swisssign.com flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	awstrust.com flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	comodoca.com flags: 0

Analysis

CAA policy found

Good. This domain name uses CAA to restrict which CAs are allowed to issue certificates for it.

Policy uses reporting

Great. This policy uses reporting, which means that your contact information is available should someone need to contact you about a CAA violation. Do note that you're not guaranteed to be notified, given that CAs generally don't support notifications yet.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Server	Preference	Operational	STARTTLS	TLS	PKI	DNSSEC	DANE
mx04.mail.admin.ch 162.23.23.170 PTR: mx04.mail.admin.ch	10
mailgate1.admin.ch 162.23.32.31 PTR: mailgate1.admin.ch	10
mx03.mail.admin.ch 162.23.22.170 PTR: mx03.mail.admin.ch	10
mailgate2.admin.ch 162.23.32.32 PTR: mailgate2.admin.ch	10
mx02.mail.admin.ch 162.23.23.160 PTR: mx02.mail.admin.ch	10
mx01.mail.admin.ch 162.23.22.160 PTR: mx01.mail.admin.ch	10

Analysis

Some SMTP server assessments have been retrieved from cache

Some SMTP server assessment results have been retrieved from our cache. Because many hosts point to the same SMTP servers, we use a short-term cache to avoid testing the same SMTP servers over and over again.

Latest cache timestamp: 19 Apr 2024 04:28 UTC

Earliest cache timestamp: 19 Apr 2024 02:48 UTC

Some SMTP server assessments contain partial information

Comprehensive TLS assessments require many connections, which is exactly what many SMTP servers don't like. We implement a two-tier assessment approach. To give you some results as fast as possible, we perform shallow assessments that use only one connection per SMTP server. We then have a background process that performs complete assessments slowly, trying to accommodate each server individually. The results presented here contain partial information. If you come back later we may be able to provide complete assessment resuls.

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

TLS Configuration: mx04.mail.admin.ch (162.23.23.170) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 04:28 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mailgate1.admin.ch (162.23.32.31) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 02:48 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Reconfigure server to use forward secrecy and authenticated encryption

Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mx03.mail.admin.ch (162.23.22.170) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 04:28 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mailgate2.admin.ch (162.23.32.32) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 02:48 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Reconfigure server to use forward secrecy and authenticated encryption

Even though this server supports TLS 1.2, the cipher suite configuration is suboptimal. We recommend that you reconfigure the server so that the cipher suites providing forward secrecy (ECDHE or DHE in the name, in this order of preference) and authenticated encryption (GCM or CHACHA20 in the name) are at the top. The server must also be configured to select the best-available suite.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mx02.mail.admin.ch (162.23.23.160) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 04:28 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

TLS Configuration: mx01.mail.admin.ch (162.23.22.160) Cached

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Shows cipher suite configuration for this protocol version.TLS v1.2	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp256r1 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
These results have been retrieved from our cache. This row indicates when was that the original test ran.Retrieved from cache	19 Apr 2024 04:28 UTC

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Partial results shown

SMTP assessments usually take a long time. To get you some results faster, we initially perform shallow checks. If you come back later we may be able to show you complete results.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

Certificate #1 Cached

Leaf certificate

mail.admin.ch
Issuer: QuoVadis
Not Before: 04 Mar 2024 13:47:27 UTC
Not After: 04 Mar 2025 13:42:00 UTC (expires in 10 months 12 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	mail.admin.ch eopmailout01.mail.admin.ch eopmailout02.mail.admin.ch eopmailout03.mail.admin.ch eopmailout04.mail.admin.ch eopmailout11.mail.admin.ch eopmailout12.mail.admin.ch mailgate01.mail.admin.ch mailgate02.mail.admin.ch mailgate03.mail.admin.ch mailgate04.mail.admin.ch mailgate11.mail.admin.ch mailgate12.mail.admin.ch mx01.mail.admin.ch mx02.mail.admin.ch mx03.mail.admin.ch mx04.mail.admin.ch mx11.mail.admin.ch mx12.mail.admin.ch ktvmx01.mail.admin.ch ktvmx02.mail.admin.ch ktvmx03.mail.admin.ch ktvmx04.mail.admin.ch ktvmx11.mail.admin.ch ktvmx12.mail.admin.ch aspmx.mail.admin.ch aspmx01.mail.admin.ch aspmx02.mail.admin.ch aspmx03.mail.admin.ch aspmx04.mail.admin.ch aspmx11.mail.admin.ch aspmx12.mail.admin.ch mailout01.mail.admin.ch mailout02.mail.admin.ch mailout03.mail.admin.ch mailout04.mail.admin.ch mailout11.mail.admin.ch mailout12.mail.admin.ch aspmailout01.mail.admin.ch aspmailout02.mail.admin.ch aspmailout03.mail.admin.ch aspmailout04.mail.admin.ch aspmailout11.mail.admin.ch aspmailout12.mail.admin.ch smtp.mail.admin.ch smtp-a.mail.admin.ch ibe.mail.admin.ch ibe-a.mail.admin.ch
Subject DN	CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH
Subject Key Identifier	37002e48cd461bbde3044b7edd05f5fb3038e0da
Serial	2e1a461538a1e2d7cf7c295f741ae5793671ec4
Not Before	04 Mar 2024 13:47:27 UTC
Not After	04 Mar 2025 13:42:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	04 Mar 2024 13:57:28 UTC \| Cloudflare 'Nimbus2025' \| Qualified 04 Mar 2024 13:57:28 UTC \| Google 'Xenon2025h1' log \| Qualified 04 Mar 2024 13:57:28 UTC \| DigiCert Nessie2025 Log \| Qualified 04 Mar 2024 13:57:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	7ff05b221f45d873d4c14b91b89ef726fe977b0f
SHA256	dc44fa7ad7ce23ec6fc0f47d071566a2e428515195d2e5d9abea2a5428765778
SPKI SHA256	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

mail.admin.ch | dc44fa7
Not After: 04 Mar 2025 13:42:00 UTC (expires in 10 months 12 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	mail.admin.ch eopmailout01.mail.admin.ch eopmailout02.mail.admin.ch eopmailout03.mail.admin.ch eopmailout04.mail.admin.ch eopmailout11.mail.admin.ch eopmailout12.mail.admin.ch mailgate01.mail.admin.ch mailgate02.mail.admin.ch mailgate03.mail.admin.ch mailgate04.mail.admin.ch mailgate11.mail.admin.ch mailgate12.mail.admin.ch mx01.mail.admin.ch mx02.mail.admin.ch mx03.mail.admin.ch mx04.mail.admin.ch mx11.mail.admin.ch mx12.mail.admin.ch ktvmx01.mail.admin.ch ktvmx02.mail.admin.ch ktvmx03.mail.admin.ch ktvmx04.mail.admin.ch ktvmx11.mail.admin.ch ktvmx12.mail.admin.ch aspmx.mail.admin.ch aspmx01.mail.admin.ch aspmx02.mail.admin.ch aspmx03.mail.admin.ch aspmx04.mail.admin.ch aspmx11.mail.admin.ch aspmx12.mail.admin.ch mailout01.mail.admin.ch mailout02.mail.admin.ch mailout03.mail.admin.ch mailout04.mail.admin.ch mailout11.mail.admin.ch mailout12.mail.admin.ch aspmailout01.mail.admin.ch aspmailout02.mail.admin.ch aspmailout03.mail.admin.ch aspmailout04.mail.admin.ch aspmailout11.mail.admin.ch aspmailout12.mail.admin.ch smtp.mail.admin.ch smtp-a.mail.admin.ch ibe.mail.admin.ch ibe-a.mail.admin.ch
Subject DN	CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH
Subject Key Identifier	37002e48cd461bbde3044b7edd05f5fb3038e0da
Serial	2e1a461538a1e2d7cf7c295f741ae5793671ec4
Not Before	04 Mar 2024 13:47:27 UTC
Not After	04 Mar 2025 13:42:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	04 Mar 2024 13:57:28 UTC \| Cloudflare 'Nimbus2025' \| Qualified 04 Mar 2024 13:57:28 UTC \| Google 'Xenon2025h1' log \| Qualified 04 Mar 2024 13:57:28 UTC \| DigiCert Nessie2025 Log \| Qualified 04 Mar 2024 13:57:28 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	7ff05b221f45d873d4c14b91b89ef726fe977b0f
SHA256	dc44fa7ad7ce23ec6fc0f47d071566a2e428515195d2e5d9abea2a5428765778
SPKI SHA256	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f

Intermediate certificate

QuoVadis Global SSL ICA G3 | 161ee53
Not After: 02 Nov 2026 17:41:00 UTC (expires in 2 years 6 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	b31289b5a94b35bc1500f080e9d87887f1137c76
Serial	653247814f5fa66bb854daf053f329265d726538
Not Before	03 Nov 2021 17:41:01 UTC
Not After	02 Nov 2026 17:41:00 UTC
Validity period	1825 days
Key Usage	keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Not Applicable
Authority Key Identifier	keyid:ede76f765abf60ec495bc6a577bb7216719bc43d
Parent Certificate	http://trust.quovadisglobal.com/qvrca2g3.crt
CRL	http://crl.quovadisglobal.com/qvrca2g3.crl
OCSP	http://ocsp.quovadisglobal.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	b2ec15c705c66e4d30c33a17f3df5bcc113fd963
SHA256	161ee5386329b28a27ff405736552a621d5a844a43811e3623e52eefa0ba840a
SPKI SHA256	28cde264f49c781fa1818b8d23e7128382d1813894c427868eb7d7450018e91b

Root certificate

QuoVadis Root CA 2 G3 | 8fe4fb0
Not After: 12 Jan 2042 18:59:32 UTC (expires in 17 years 8 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	ede76f765abf60ec495bc6a577bb7216719bc43d
Serial	445734245b81899b35f2ceb82b3b5ba726f07528
Not Before	12 Jan 2012 18:59:32 UTC
Not After	12 Jan 2042 18:59:32 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	093c61f38b8bdc7d55df7538020500e125f5c836
SHA256	8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840
SPKI SHA256	4a49edbd2f8f8230bd5592b313573fe1c172a45fa98011cc1eddbb36ade3fce5

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate #2 Cached

Leaf certificate

mail.admin.ch
Issuer: QuoVadis
Not Before: 29 Feb 2024 07:36:40 UTC
Not After: 28 Feb 2025 07:31:00 UTC (expires in 10 months 8 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	mail.admin.ch mail01.admin.ch mail02.admin.ch mail03.admin.ch mail04.admin.ch antivir.admin.ch mail41.admin.ch mail42.admin.ch mail46.admin.ch mail01.sszadmbit.sszad.admin.ch mail02.sszadmbit.sszad.admin.ch mail03.sszadmbit.sszad.admin.ch mail04.sszadmbit.sszad.admin.ch amavis01.sszadmbit.sszad.admin.ch amavis02.sszadmbit.sszad.admin.ch amavis03.sszadmbit.sszad.admin.ch amavis04.sszadmbit.sszad.admin.ch mailhost01.admin.ch mailhost02.admin.ch mailhost03.admin.ch mailhost04.admin.ch mailhub01.admin.ch mailhub02.admin.ch mailhub03.admin.ch mailhub04.admin.ch apphost01.admin.ch apphost02.admin.ch apphost03.admin.ch apphost04.admin.ch ktvhub01.admin.ch ktvhub02.admin.ch ktvhub03.admin.ch ktvhub04.admin.ch amavis01.admin.ch amavis02.admin.ch amavis03.admin.ch mailhost01-i.admin.ch mailhost02-i.admin.ch mailhub01-i.admin.ch mailhub02-i.admin.ch apphost01-i.admin.ch apphost02-i.admin.ch ktvhub01-i.admin.ch ktvhub02-i.admin.ch mgm51.admin.ch mgm52.admin.ch dmailhost.admin.ch mailhub.admin.ch mail01-i.sszadmbit.sszad.admin.ch mail02-i.sszadmbit.sszad.admin.ch mailgate.admin.ch mailgate2.admin.ch mail21.admin.ch mail22.admin.ch mail15.admin.ch mail16.admin.ch mailout.admin.ch mail11.admin.ch mail12.admin.ch mail13.admin.ch mail14.admin.ch news.admin.ch mail18.admin.ch mail19.admin.ch mail29.admin.ch mail30.admin.ch mail33.admin.ch mail34.admin.ch mail35.admin.ch mail36.admin.ch mail37.admin.ch mail38.admin.ch mail67.admin.ch mail68.admin.ch l021000109673b.sszadmbit.sszad.admin.ch l021000109340b.sszadmbit.sszad.admin.ch
Subject DN	CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH
Subject Key Identifier	2ad1ee5b15c97f9987206120f4c47fc54408d834
Serial	920d91c8a090dbc36b1f91b28d66a37aba65d7
Not Before	29 Feb 2024 07:36:40 UTC
Not After	28 Feb 2025 07:31:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	29 Feb 2024 07:46:21 UTC \| Cloudflare 'Nimbus2025' \| Qualified 29 Feb 2024 07:46:21 UTC \| Google 'Xenon2025h1' log \| Qualified 29 Feb 2024 07:46:22 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 29 Feb 2024 07:46:22 UTC \| DigiCert Nessie2025 Log \| Qualified
Fingerprints
SHA1	f61368eb19fec2cf89161777f00e2159a4e1306e
SHA256	333a5092b9130771666cab5ee6346a0956a4a8e565ac691db59343152a651ef9
SPKI SHA256	d2e07bdb7219a35f2d37055793582f80df499ece84b37b612494943f9cfbdb8a

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate doesn't match hostname

The provided certificate doesn't match the expected hostname. Default relaxed criteria for SMTP applies.

Expected hostname: mailgate1.admin.ch

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

mail.admin.ch | 333a509
Not After: 28 Feb 2025 07:31:00 UTC (expires in 10 months 8 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	mail.admin.ch mail01.admin.ch mail02.admin.ch mail03.admin.ch mail04.admin.ch antivir.admin.ch mail41.admin.ch mail42.admin.ch mail46.admin.ch mail01.sszadmbit.sszad.admin.ch mail02.sszadmbit.sszad.admin.ch mail03.sszadmbit.sszad.admin.ch mail04.sszadmbit.sszad.admin.ch amavis01.sszadmbit.sszad.admin.ch amavis02.sszadmbit.sszad.admin.ch amavis03.sszadmbit.sszad.admin.ch amavis04.sszadmbit.sszad.admin.ch mailhost01.admin.ch mailhost02.admin.ch mailhost03.admin.ch mailhost04.admin.ch mailhub01.admin.ch mailhub02.admin.ch mailhub03.admin.ch mailhub04.admin.ch apphost01.admin.ch apphost02.admin.ch apphost03.admin.ch apphost04.admin.ch ktvhub01.admin.ch ktvhub02.admin.ch ktvhub03.admin.ch ktvhub04.admin.ch amavis01.admin.ch amavis02.admin.ch amavis03.admin.ch mailhost01-i.admin.ch mailhost02-i.admin.ch mailhub01-i.admin.ch mailhub02-i.admin.ch apphost01-i.admin.ch apphost02-i.admin.ch ktvhub01-i.admin.ch ktvhub02-i.admin.ch mgm51.admin.ch mgm52.admin.ch dmailhost.admin.ch mailhub.admin.ch mail01-i.sszadmbit.sszad.admin.ch mail02-i.sszadmbit.sszad.admin.ch mailgate.admin.ch mailgate2.admin.ch mail21.admin.ch mail22.admin.ch mail15.admin.ch mail16.admin.ch mailout.admin.ch mail11.admin.ch mail12.admin.ch mail13.admin.ch mail14.admin.ch news.admin.ch mail18.admin.ch mail19.admin.ch mail29.admin.ch mail30.admin.ch mail33.admin.ch mail34.admin.ch mail35.admin.ch mail36.admin.ch mail37.admin.ch mail38.admin.ch mail67.admin.ch mail68.admin.ch l021000109673b.sszadmbit.sszad.admin.ch l021000109340b.sszadmbit.sszad.admin.ch
Subject DN	CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH
Subject Key Identifier	2ad1ee5b15c97f9987206120f4c47fc54408d834
Serial	920d91c8a090dbc36b1f91b28d66a37aba65d7
Not Before	29 Feb 2024 07:36:40 UTC
Not After	28 Feb 2025 07:31:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	29 Feb 2024 07:46:21 UTC \| Cloudflare 'Nimbus2025' \| Qualified 29 Feb 2024 07:46:21 UTC \| Google 'Xenon2025h1' log \| Qualified 29 Feb 2024 07:46:22 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 29 Feb 2024 07:46:22 UTC \| DigiCert Nessie2025 Log \| Qualified
Fingerprints
SHA1	f61368eb19fec2cf89161777f00e2159a4e1306e
SHA256	333a5092b9130771666cab5ee6346a0956a4a8e565ac691db59343152a651ef9
SPKI SHA256	d2e07bdb7219a35f2d37055793582f80df499ece84b37b612494943f9cfbdb8a

Intermediate certificate

QuoVadis Global SSL ICA G3 | 161ee53
Not After: 02 Nov 2026 17:41:00 UTC (expires in 2 years 6 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	b31289b5a94b35bc1500f080e9d87887f1137c76
Serial	653247814f5fa66bb854daf053f329265d726538
Not Before	03 Nov 2021 17:41:01 UTC
Not After	02 Nov 2026 17:41:00 UTC
Validity period	1825 days
Key Usage	keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Not Applicable
Authority Key Identifier	keyid:ede76f765abf60ec495bc6a577bb7216719bc43d
Parent Certificate	http://trust.quovadisglobal.com/qvrca2g3.crt
CRL	http://crl.quovadisglobal.com/qvrca2g3.crl
OCSP	http://ocsp.quovadisglobal.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	b2ec15c705c66e4d30c33a17f3df5bcc113fd963
SHA256	161ee5386329b28a27ff405736552a621d5a844a43811e3623e52eefa0ba840a
SPKI SHA256	28cde264f49c781fa1818b8d23e7128382d1813894c427868eb7d7450018e91b

Root certificate

QuoVadis Root CA 2 G3 | 8fe4fb0
Not After: 12 Jan 2042 18:59:32 UTC (expires in 17 years 8 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	ede76f765abf60ec495bc6a577bb7216719bc43d
Serial	445734245b81899b35f2ceb82b3b5ba726f07528
Not Before	12 Jan 2012 18:59:32 UTC
Not After	12 Jan 2042 18:59:32 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	093c61f38b8bdc7d55df7538020500e125f5c836
SHA256	8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840
SPKI SHA256	4a49edbd2f8f8230bd5592b313573fe1c172a45fa98011cc1eddbb36ade3fce5

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Test passed

Everything seems to be well configured. Well done.

Some TLS and PKI information shown may have been retrieved from cache. The notes provide more information.

DANE: mx04.mail.admin.ch (162.23.23.170)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f Leaf certificate: RSA 2048 bits Subject: CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH Issuer: CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM mail.admin.ch (RSA 2048 bits)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	45bceff4656d06c21c12308fdade2c5aa23c84f11f48a45fd5a1e1a787664203

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

DANE: mx03.mail.admin.ch (162.23.22.170)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	45bceff4656d06c21c12308fdade2c5aa23c84f11f48a45fd5a1e1a787664203

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f Leaf certificate: RSA 2048 bits Subject: CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH Issuer: CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM mail.admin.ch (RSA 2048 bits)

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

DANE: mx02.mail.admin.ch (162.23.23.160)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	45bceff4656d06c21c12308fdade2c5aa23c84f11f48a45fd5a1e1a787664203

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f Leaf certificate: RSA 2048 bits Subject: CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH Issuer: CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM mail.admin.ch (RSA 2048 bits)

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

DANE: mx01.mail.admin.ch (162.23.22.160)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	e37e1614f801b64fd58bda2c8b516189f3cfe37a0185b200620c64b693ecc27f Leaf certificate: RSA 2048 bits Subject: CN=mail.admin.ch, O=Bundesamt für Informatik und Telekommunikation BIT, L=Bern, ST=Bern, C=CH Issuer: CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM mail.admin.ch (RSA 2048 bits)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	SPKI structure (1)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	45bceff4656d06c21c12308fdade2c5aa23c84f11f48a45fd5a1e1a787664203

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

Test passed

Everything seems to be well configured. Well done.

SPF Policy Information Main policy

Host where this policy is located.Location	admin.ch
SPF version used by this policy.v	spf1
This modifier is intended for consolidating both authorizations and policy into a common set to be shared within a single administrative domain. redirect	_spfgroupa.admin.ch

Analysis

SPF policy found

Policy text: v=spf1 redirect=_spfgroupa.admin.ch

Location: admin.ch

SPF policy is valid

Good. Your SPF policy is syntactically valid.

Policy DNS lookups under limit

Good. Your policy stays under the limit of up to 10 DNS queries. The SPF specification Section 4.6.4. requires implementations to limit the total number of DNS queries. Policies that exceed the limit should not be used and may not work in practice.

Lookups: 7

SPF Policy Information Included policy

Host where this policy is located.Location	_spfgroupa.admin.ch
SPF version used by this policy.v	spf1
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	_netblocks1.admin.ch
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	_netblocks2.admin.ch
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	_netblocks3.admin.ch
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	_netblocks4.admin.ch
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	spf2.privasphere.com
Evaluates SPF policy specified in another DNS location. This directive is typically used to allow hosts controlled by another organization. include	spf.weaver.ch
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. -all

SPF Policy Information Included policy

Host where this policy is located.Location	_netblocks1.admin.ch
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.11
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.12
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.13
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.14
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.21
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.22
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

SPF Policy Information Included policy

Host where this policy is located.Location	_netblocks2.admin.ch
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.37.176
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.37.177
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.97.167
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.97.166
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

SPF Policy Information Included policy

Host where this policy is located.Location	_netblocks3.admin.ch
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.18
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.19
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.29
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.30
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.33
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.34
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.35
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.36
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.37
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.32.38
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

SPF Policy Information Included policy

Host where this policy is located.Location	_netblocks4.admin.ch
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.22.160/27
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.23.0/24
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.23.16/28
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.146.16/28
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.147.160/27
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.140.0/26
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	162.23.214.16/28
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

SPF Policy Information Included policy

Host where this policy is located.Location	spf2.privasphere.com
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.166.96.0/24
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.166.99.0/24
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	83.150.2.35
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. -all

SPF Policy Information Included policy

Host where this policy is located.Location	spf.weaver.ch
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.63
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.64
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.65
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.107
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.108
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.109
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.132
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.136
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.242
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.243
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.244
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.245
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.246
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.247
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.248
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.249
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.250
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.253
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	185.90.37.251
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. ~all

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Test passed

Everything seems to be well configured. Well done.

DMARC Policy Information

The location from which we obtained this policy.Policy location	_dmarc.admin.ch
DMARC version used by this policy.v	DMARC1
Indicates the policy to be enacted by the receiver at the request of the domain owner. Possible values are: none, quarantine, and reject.p	quarantine
Addresses to which aggregate feedback is to be sent.rua	mailto:dmarc.rua@admin.ch

Analysis

DMARC policy found

Policy: v=DMARC1; p=quarantine; rua=mailto:dmarc.rua@admin.ch

Host: _dmarc.admin.ch

Policy is valid

Good. You have a valid DMARC policy.

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

Test passed

Everything seems to be well configured. Well done.

URL: http://admin.ch/

1

http://admin.ch/

HTTP/1.0 302 Moved Temporarily

Location	https://www.admin.ch/
Connection	Keep-Alive
Content-Length	0

2

https://www.admin.ch/

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Location	https://www.admin.ch/gov/de.html
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=704c4efa4402f249eeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797CE6F84BF6DBEB4D012B793E65;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Miss from cloudfront
Via	1.1 c3fb7b0c0d3cbd002fed2c3d958d111e.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	7JCSzoFSPD0smIzdAX17ZJBVuBhYRY1qsTcP5H7NrXXsH7BVZifE3A==

3

https://www.admin.ch/gov/de.html

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Access-Control-Allow-Methods	GET, POST
X-UA-Compatible	IE=edge
Location	https://www.admin.ch/gov/de/start.html
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C407946622B227B2390632368;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Miss from cloudfront
Via	1.1 005b0f8dc37e46fc9bdc40ea2ce8a602.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	rw4HsEakkMRUsL9BFmaHaQ5422tcgYqRehFFu0-ZhgoZeurzknYGdw==

4

https://www.admin.ch/gov/de/start.html

HTTP/1.1 200 OK

Content-Type	text/html;charset=utf-8
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:23:30 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
Expires	Thu, 01 Jan 1970 00:00:00 GMT
Accept-Ranges	bytes
Cache-Control	max-age=300
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37f53512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C11364343B18F5B1176EA0605;Expires=Sun, 20 Apr 2025 05:23:31 GMT;Path=/;HttpOnly
Vary	Accept-Encoding
X-Cache	Hit from cloudfront
Via	1.1 1d2861d9b6c0fd303c8b7539b394c190.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	hkvLHIJ9VvbV8esn0DfT-BNWkkxVkvtpsvG9Qt-Ld8mbanro3fmUwQ==
Age	131

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

URL: http://www.admin.ch/

1

http://www.admin.ch/

HTTP/1.1 301 Moved Permanently

Server	CloudFront
Date	Sat, 20 Apr 2024 05:25:42 GMT
Content-Type	text/html
Content-Length	167
Connection	keep-alive
Location	https://www.admin.ch/
X-Cache	Redirect from cloudfront
Via	1.1 aea539314dea6e591d10d79d61e42090.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	AAfQyNt3BEbAnc4lNVvRY3PO6_ck_Kb0PFq7LUTmnGVVYBzdek1F_A==

2

https://www.admin.ch/

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Location	https://www.admin.ch/gov/de.html
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=704c4efa4402f249eeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797CE6F84BF6DBEB4D012B793E65;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 b5c1f99a1985819c0c422c9ce2cc03fc.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	t7xITc3LBDYIChSjLpJ0fHOUI8LG6xaLgcCLKUTyYCOt7w6xg4TxyA==

3

https://www.admin.ch/gov/de.html

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Access-Control-Allow-Methods	GET, POST
X-UA-Compatible	IE=edge
Location	https://www.admin.ch/gov/de/start.html
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C407946622B227B2390632368;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 008cd6752eb718142dfefe2f7e847982.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	uQQPUY0VIyqEfpBiUPU3WOInqwyALJ0SkUfbU0JN3XRFkuJguBzcpw==

4

https://www.admin.ch/gov/de/start.html

HTTP/1.1 200 OK

Content-Type	text/html;charset=utf-8
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:23:30 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
Expires	Thu, 01 Jan 1970 00:00:00 GMT
Accept-Ranges	bytes
Cache-Control	max-age=300
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37f53512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C11364343B18F5B1176EA0605;Expires=Sun, 20 Apr 2025 05:23:31 GMT;Path=/;HttpOnly
Vary	Accept-Encoding
X-Cache	Hit from cloudfront
Via	1.1 5b4b6c6517b988a4ff2c794e5583ee02.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	4-6_LCgdBSv5z0Caer4g-N0WK2aZv9gOZPWVRNji2Pp4y-S0OXn3qA==
Age	132

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

Test passed

Everything seems to be well configured. Well done.

URL: https://admin.ch/

1

https://admin.ch/

HTTP/1.0 302 Moved Temporarily

Location	https://www.admin.ch/
Connection	Keep-Alive
Content-Length	0

2

https://www.admin.ch/

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Location	https://www.admin.ch/gov/de.html
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=704c4efa4402f249eeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797CE6F84BF6DBEB4D012B793E65;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 b5c1f99a1985819c0c422c9ce2cc03fc.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	7ZKzJgfEJfBnQpll0u680eIBpUQURT3OOlyTovbVmGsAVGO7pi5RBQ==
Age	1

3

https://www.admin.ch/gov/de.html

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Access-Control-Allow-Methods	GET, POST
X-UA-Compatible	IE=edge
Location	https://www.admin.ch/gov/de/start.html
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C407946622B227B2390632368;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 e82b8f8953c90f58ae3b2feee6b64b70.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	PvECXWmG6gIcI2VyH1AehG1BK3QY21ycTQ8ea3V5cpwSVE2KjoYkHA==
Age	1

4

https://www.admin.ch/gov/de/start.html

HTTP/1.1 200 OK

Content-Type	text/html;charset=utf-8
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:23:30 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
Expires	Thu, 01 Jan 1970 00:00:00 GMT
Accept-Ranges	bytes
Cache-Control	max-age=300
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37f53512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C11364343B18F5B1176EA0605;Expires=Sun, 20 Apr 2025 05:23:31 GMT;Path=/;HttpOnly
Vary	Accept-Encoding
X-Cache	Hit from cloudfront
Via	1.1 80d5d65d27a0450c8f0018381b103d7a.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	N0Je1vvXdoHUT3l1DlqKvv4TAdilynlUjhhgIEEUUF8oui0cU0OH9g==
Age	132

URL: https://www.admin.ch/

1

https://www.admin.ch/

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Location	https://www.admin.ch/gov/de.html
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=704c4efa4402f249eeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797CE6F84BF6DBEB4D012B793E65;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 fa2a1404411f25eb7c3c4def0c2864e6.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	kTGA_qitLfb-0IIFdJ-5JBQ8KMfLjnF1Ydi_JjOVhgbng9e1etfmFw==
Age	1

2

https://www.admin.ch/gov/de.html

HTTP/1.1 302 Moved Temporarily

Content-Type	text/html;charset=utf-8
Content-Length	0
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:25:42 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
X-Content-Type-Options	nosniff
Access-Control-Allow-Methods	GET, POST
X-UA-Compatible	IE=edge
Location	https://www.admin.ch/gov/de/start.html
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37fd6512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C407946622B227B2390632368;Expires=Sun, 20 Apr 2025 05:25:42 GMT;Path=/;HttpOnly
X-Cache	Hit from cloudfront
Via	1.1 043cf9310ff19c0e58a0b6e76877f570.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	ifirFtZ035ZL6YSwv7wipr3K3KIWyB5Lh1ovL0ac1CRP0R8cP18W-Q==
Age	1

3

https://www.admin.ch/gov/de/start.html

HTTP/1.1 200 OK

Content-Type	text/html;charset=utf-8
Connection	keep-alive
Date	Sat, 20 Apr 2024 05:23:30 GMT
Server	Apache
X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff
X-XSS-Protection	1
Strict-Transport-Security	max-age=31536000; preload
Expires	Thu, 01 Jan 1970 00:00:00 GMT
Accept-Ranges	bytes
Cache-Control	max-age=300
X-UA-Compatible	IE=edge
Set-Cookie	BIT-PersistPP=2f4f035ed7a4caceeeddf37f53512366;max-age=86400;Path=/;Secure;HttpOnly
Set-Cookie	cookiesession1=678B797C11364343B18F5B1176EA0605;Expires=Sun, 20 Apr 2025 05:23:31 GMT;Path=/;HttpOnly
Vary	Accept-Encoding
X-Cache	Hit from cloudfront
Via	1.1 f577ca8c3771798c088df2efc06d2bc4.cloudfront.net (CloudFront)
X-Amz-Cf-Pop	JFK50-P1
X-Amz-Cf-Id	5TgqJMfpplPIejvhjDdtKO2knZT2Y2ozC7xTe2_6Fxgz7loPY-JgEQ==
Age	133

WWW TLS

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed

Everything seems to be well configured. Well done.

TLS Configuration: admin.ch (162.23.130.190)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp384r1 (384 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 384 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC secp384r1 (384 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 384 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC secp384r1 (384 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 384 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC secp384r1 (384 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 384 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC secp384r1 (384 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 384 bits)

Analysis

TLS 1.3 not supported

TLS 1.3 is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance. This version of TLS should be the main protocol used with modern clients.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.admin.ch (108.139.47.96)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Only strong suites supported

Excellent. This server supports only strong cipher suites, which use strong authenticated encryption and provide forward secrecy.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.admin.ch (108.139.47.49)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Only strong suites supported

Excellent. This server supports only strong cipher suites, which use strong authenticated encryption and provide forward secrecy.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.admin.ch (108.139.47.26)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Only strong suites supported

Excellent. This server supports only strong cipher suites, which use strong authenticated encryption and provide forward secrecy.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.admin.ch (108.139.47.104)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits)

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Only strong suites supported

Excellent. This server supports only strong cipher suites, which use strong authenticated encryption and provide forward secrecy.

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

WWW Certificates

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Certificate: admin.ch

Leaf certificate

admin.ch
Issuer: QuoVadis
Not Before: 20 Mar 2024 07:17:28 UTC
Not After: 20 Mar 2025 07:12:00 UTC (expires in 11 months 1 hour)
Key: RSA 4096 bits
Signature: SHA256withRSA
View details

Names	admin.ch
Subject DN	CN=admin.ch, O=Bundesamt fuer Informatik und Telekommunikation (BIT), L=Bern, ST=Bern, C=CH
Subject Key Identifier	1ba141ff2ea47b63d6fe4952b41b28d4d1bcd65a
Serial	449dd579bc47feff1683bb6b1accf3db66d0d708
Not Before	20 Mar 2024 07:17:28 UTC
Not After	20 Mar 2025 07:12:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	20 Mar 2024 07:27:04 UTC \| Google 'Xenon2025h1' log \| Qualified 20 Mar 2024 07:27:04 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 20 Mar 2024 07:27:04 UTC \| DigiCert Nessie2025 Log \| Qualified 20 Mar 2024 07:27:04 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	4bd0bfa46e3457d2714132a259bb25574126b8f8
SHA256	643c37884ae52cfb52232a31d4145ab120ece13d8f9d74ac587d6ca91e1ae5dd
SPKI SHA256	e6c40c94a9b214b6274fca8cf592fa537470071f0c21060254a9f355f5c87e9d

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

admin.ch | 643c378
Not After: 20 Mar 2025 07:12:00 UTC (expires in 11 months 1 hour)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Names	admin.ch
Subject DN	CN=admin.ch, O=Bundesamt fuer Informatik und Telekommunikation (BIT), L=Bern, ST=Bern, C=CH
Subject Key Identifier	1ba141ff2ea47b63d6fe4952b41b28d4d1bcd65a
Serial	449dd579bc47feff1683bb6b1accf3db66d0d708
Not Before	20 Mar 2024 07:17:28 UTC
Not After	20 Mar 2025 07:12:00 UTC
Validity period	365 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	clientAuth, serverAuth
Must Staple	No
Issuer
Issuer DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Organization Validation (OV)
Authority Key Identifier	keyid:b31289b5a94b35bc1500f080e9d87887f1137c76
Parent Certificate	http://trust.quovadisglobal.com/qvsslg3.crt
CRL	http://crl.quovadisglobal.com/qvsslg3.crl
OCSP	http://ocsp.quovadisglobal.com
Certificate Transparency
Signed Certificate Timestamps	20 Mar 2024 07:27:04 UTC \| Google 'Xenon2025h1' log \| Qualified 20 Mar 2024 07:27:04 UTC \| Let's Encrypt 'Oak2025h1' \| Qualified 20 Mar 2024 07:27:04 UTC \| DigiCert Nessie2025 Log \| Qualified 20 Mar 2024 07:27:04 UTC \| Google 'Argon2025h1' log \| Qualified
Fingerprints
SHA1	4bd0bfa46e3457d2714132a259bb25574126b8f8
SHA256	643c37884ae52cfb52232a31d4145ab120ece13d8f9d74ac587d6ca91e1ae5dd
SPKI SHA256	e6c40c94a9b214b6274fca8cf592fa537470071f0c21060254a9f355f5c87e9d

Intermediate certificate

QuoVadis Global SSL ICA G3 | 161ee53
Not After: 02 Nov 2026 17:41:00 UTC (expires in 2 years 6 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Global SSL ICA G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	b31289b5a94b35bc1500f080e9d87887f1137c76
Serial	653247814f5fa66bb854daf053f329265d726538
Not Before	03 Nov 2021 17:41:01 UTC
Not After	02 Nov 2026 17:41:00 UTC
Validity period	1825 days
Key Usage	keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Not Applicable
Authority Key Identifier	keyid:ede76f765abf60ec495bc6a577bb7216719bc43d
Parent Certificate	http://trust.quovadisglobal.com/qvrca2g3.crt
CRL	http://crl.quovadisglobal.com/qvrca2g3.crl
OCSP	http://ocsp.quovadisglobal.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	b2ec15c705c66e4d30c33a17f3df5bcc113fd963
SHA256	161ee5386329b28a27ff405736552a621d5a844a43811e3623e52eefa0ba840a
SPKI SHA256	28cde264f49c781fa1818b8d23e7128382d1813894c427868eb7d7450018e91b

Root certificate

QuoVadis Root CA 2 G3 | 8fe4fb0
Not After: 12 Jan 2042 18:59:32 UTC (expires in 17 years 8 months)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Subject Key Identifier	ede76f765abf60ec495bc6a577bb7216719bc43d
Serial	445734245b81899b35f2ceb82b3b5ba726f07528
Not Before	12 Jan 2012 18:59:32 UTC
Not After	12 Jan 2042 18:59:32 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=QuoVadis Root CA 2 G3, O=QuoVadis Limited, C=BM
Certification Authority	QuoVadis
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	093c61f38b8bdc7d55df7538020500e125f5c836
SHA256	8fe4fb0af93a4d0d67db0bebb23e37c71bf325dcbcdd240ea04daf58b47e1840
SPKI SHA256	4a49edbd2f8f8230bd5592b313573fe1c172a45fa98011cc1eddbb36ade3fce5

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: www.admin.ch

Leaf certificate

www.admin.ch
Issuer: Amazon
Not Before: 18 Nov 2023 00:00:00 UTC
Not After: 16 Dec 2024 23:59:59 UTC (expires in 7 months 26 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	www.admin.ch
Subject DN	CN=www.admin.ch
Subject Key Identifier	dd76febc67c2bf699bb2737e51b63d89303c8e55
Serial	e3219caff1bbc1c15fd487750967885
Not Before	18 Nov 2023 00:00:00 UTC
Not After	16 Dec 2024 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Amazon RSA 2048 M02, O=Amazon, C=US
Certification Authority	Amazon
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:c03152cd5a50c3827c7471cecbe99cf97aeb82e2
Parent Certificate	http://crt.r2m02.amazontrust.com/r2m02.cer
CRL	http://crl.r2m02.amazontrust.com/r2m02.crl
OCSP	http://ocsp.r2m02.amazontrust.com
Certificate Transparency
Signed Certificate Timestamps	18 Nov 2023 06:58:47 UTC \| Google 'Argon2024' log \| Qualified 18 Nov 2023 06:58:47 UTC \| DigiCert Yeti2024 Log \| Qualified 18 Nov 2023 06:58:47 UTC \| Cloudflare 'Nimbus2024' Log \| Qualified
Fingerprints
SHA1	037652e0c1b46f5e10ac5d1d5198631c64efe01b
SHA256	45b06eae1aa587e20d47ee30e39e305a70670677a58d74d5fe46b2fd160e757c
SPKI SHA256	bb98c5ed53625b1f021e147063dec69b188cddb426692f9c9f9aa59cb74dea56

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

www.admin.ch | 45b06ea
Not After: 16 Dec 2024 23:59:59 UTC (expires in 7 months 26 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	www.admin.ch
Subject DN	CN=www.admin.ch
Subject Key Identifier	dd76febc67c2bf699bb2737e51b63d89303c8e55
Serial	e3219caff1bbc1c15fd487750967885
Not Before	18 Nov 2023 00:00:00 UTC
Not After	16 Dec 2024 23:59:59 UTC
Validity period	395 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=Amazon RSA 2048 M02, O=Amazon, C=US
Certification Authority	Amazon
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:c03152cd5a50c3827c7471cecbe99cf97aeb82e2
Parent Certificate	http://crt.r2m02.amazontrust.com/r2m02.cer
CRL	http://crl.r2m02.amazontrust.com/r2m02.crl
OCSP	http://ocsp.r2m02.amazontrust.com
Certificate Transparency
Signed Certificate Timestamps	18 Nov 2023 06:58:47 UTC \| Google 'Argon2024' log \| Qualified 18 Nov 2023 06:58:47 UTC \| DigiCert Yeti2024 Log \| Qualified 18 Nov 2023 06:58:47 UTC \| Cloudflare 'Nimbus2024' Log \| Qualified
Fingerprints
SHA1	037652e0c1b46f5e10ac5d1d5198631c64efe01b
SHA256	45b06eae1aa587e20d47ee30e39e305a70670677a58d74d5fe46b2fd160e757c
SPKI SHA256	bb98c5ed53625b1f021e147063dec69b188cddb426692f9c9f9aa59cb74dea56

Intermediate certificate

Amazon RSA 2048 M02 | b0f330a
Not After: 23 Aug 2030 22:25:30 UTC (expires in 6 years 4 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=Amazon RSA 2048 M02, O=Amazon, C=US
Subject Key Identifier	c03152cd5a50c3827c7471cecbe99cf97aeb82e2
Serial	773124a4bcbd44ec7b53beaf194842d3a0fa1
Not Before	23 Aug 2022 22:25:30 UTC
Not After	23 Aug 2030 22:25:30 UTC
Validity period	2923 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=Amazon Root CA 1, O=Amazon, C=US
Certification Authority	Amazon
Validation Type	Not Applicable
Authority Key Identifier	keyid:8418cc8534ecbc0c94942e08599cc7b2104e0a08
Parent Certificate	http://crt.rootca1.amazontrust.com/rootca1.cer
CRL	http://crl.rootca1.amazontrust.com/rootca1.crl
OCSP	http://ocsp.rootca1.amazontrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	414a2060b738c635cc7fc243e052615592830c53
SHA256	b0f330a31a0c50987e1c3a7bb02c2dda682991d3165b517bd44fba4a6020bd94
SPKI SHA256	d7cb643f2af69dc92fe1f828d1d84091a52d27686edbcdf5c653b648a86af1d8

Intermediate certificate

Amazon Root CA 1 | 87dcd4d
Not After: 31 Dec 2037 01:00:00 UTC (expires in 13 years 8 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=Amazon Root CA 1, O=Amazon, C=US
Subject Key Identifier	8418cc8534ecbc0c94942e08599cc7b2104e0a08
Serial	67f944a2a27cdf3fac2ae2b01f908eeb9c4c6
Not Before	25 May 2015 12:00:00 UTC
Not After	31 Dec 2037 01:00:00 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Issuer
Issuer DN	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Certification Authority	Amazon
Validation Type	Not Applicable
Authority Key Identifier	keyid:9c5f00dfaa01d7302b3888a2b86d4a9cf2119183
Parent Certificate	http://crt.rootg2.amazontrust.com/rootg2.cer
CRL	http://crl.rootg2.amazontrust.com/rootg2.crl
OCSP	http://ocsp.rootg2.amazontrust.com
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	06b25927c42a721631c1efd9431e648fa62e1e39
SHA256	87dcd4dc74640a322cd205552506d1be64f12596258096544986b4850bc72706
SPKI SHA256	fbe3018031f9586bcbf41727e417b7d1c45c2f47f93be372a17b96b50757d5a2

Intermediate certificate

Starfield Services Root Certificate Authority - G2 | 28689b3
Not After: 28 Jun 2034 17:39:16 UTC (expires in 10 years 2 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
Subject Key Identifier	9c5f00dfaa01d7302b3888a2b86d4a9cf2119183
Serial	a70e4a4c3482b77f
Not Before	02 Sep 2009 00:00:00 UTC
Not After	28 Jun 2034 17:39:16 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Issuer
Issuer DN	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Certification Authority	GoDaddy
Validation Type	Not Applicable
Authority Key Identifier	keyid:bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7
Parent Certificate	http://x.ss2.us/x.cer
CRL	http://s.ss2.us/r.crl
OCSP	http://o.ss2.us/
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	9e99a48a9960b14926bb7f3b02e22da2b0ab7280
SHA256	28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996
SPKI SHA256	2b071c59a0a0ae76b0eadb2bad23bad4580b69c3601b630c2eaf0613afa83f92

Root certificate

Starfield Technologies, Inc. | 1465fa2
Not After: 29 Jun 2034 17:39:16 UTC (expires in 10 years 2 months)
Authentication: RSA 2048 bits (SHA1withRSA)
View details

Subject DN	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Subject Key Identifier	bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7
Serial	0
Not Before	29 Jun 2004 17:39:16 UTC
Not After	29 Jun 2034 17:39:16 UTC
Issuer
Issuer DN	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Certification Authority	GoDaddy
Validation Type	Self-signed
Authority Key Identifier	keyid:bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7; name:C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority; serial:0
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	ad7e1c28b064ef8f6003402014c3d0e3370eb58a
SHA256	1465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658
SPKI SHA256	15f14ac45c9c7da233d3479164e8137fe35ee0f38ae858183f08410ea82ac4b4

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

DANE (443)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Cookies

Cookies are small chunks of text that are sent between your browser and a website. They are often essential to the operation of the site and sometimes contain sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

Test failed

We've detected serious problems that require your immediate attention.

HTTP Cookie: BIT-PersistPP

Cookie value. As far as the cookie RFC is concerned, the value is an opaque string which only the application should interpret.Value	2f4f035ed7a4caceeeddf37f53512366
Cookie domain. When domain is implied (not explicitly set in a cookie), most browsers (but not IE) treat the cookie as host-only, meaning that no other server can overwrite it.Domain	Implied (www.admin.ch)
Cookie path. This field can't be used as security measure, but it could be of use to avoid cookie name collision in non-adversarial contexts.Path	/
Cookies are designed to always expire. Session cookies are truly ephemeral and remain cached until the browser is closed. The Expires and Max-Age cookie attributes can be used to specify that a cookie should stay alive for longer.Expires	Sun Apr 21 05:25:47 UTC 2024 (23 hours 59 minutes)
The HttpOnly flag prevents the cookie from being accessed from JavaScript, thus making them more difficult to obtain after a successful XSS attack.HttpOnly
The Secure flag signals to browsers that the cookie should be transmitted only over an encrypted channel.Secure
Normally, when a browser makes a request to a web site, it sends all associated cookies. This is not always desirable, because it might allow third-party sites to perform site actions under the identity of the user. This attack is known as Cross-Site Request Forgery. With SameSite cookies (still in development, but already supported in some browsers), you can choose to be more strict. The possible values are 'lax' and 'strict'.SameSite

Analysis

Cookie is secure

Good. This cookie is marked secure, which means that it won't ever be transmitted over plaintext. As such, it's not vulnerable to the Sidejacking attack.

HTTP Cookie: cookiesession1 Session cookie

Cookie value. As far as the cookie RFC is concerned, the value is an opaque string which only the application should interpret.Value	678B797C11364343B18F5B1176EA0605
Cookie domain. When domain is implied (not explicitly set in a cookie), most browsers (but not IE) treat the cookie as host-only, meaning that no other server can overwrite it.Domain	Implied (www.admin.ch)
Cookie path. This field can't be used as security measure, but it could be of use to avoid cookie name collision in non-adversarial contexts.Path	/
Cookies are designed to always expire. Session cookies are truly ephemeral and remain cached until the browser is closed. The Expires and Max-Age cookie attributes can be used to specify that a cookie should stay alive for longer.Expires	Sun Apr 20 05:23:31 UTC 2025 (11 months 30 days)
The HttpOnly flag prevents the cookie from being accessed from JavaScript, thus making them more difficult to obtain after a successful XSS attack.HttpOnly
The Secure flag signals to browsers that the cookie should be transmitted only over an encrypted channel.Secure
Normally, when a browser makes a request to a web site, it sends all associated cookies. This is not always desirable, because it might allow third-party sites to perform site actions under the identity of the user. This attack is known as Cross-Site Request Forgery. With SameSite cookies (still in development, but already supported in some browsers), you can choose to be more strict. The possible values are 'lax' and 'strict'.SameSite

Analysis

Session cookie is not secure

This cookie, which has been sent over an encrypted channel, doesn't have the secure flag set. As a result, an active network attacker can easily recover it and hijack the user session.

Session cookie is HttpOnly

Good. This session cookie is marked as HttpOnly, which means that it can't be accessed from JavaScript. Such cookies are more difficult to obtain after a successful XSS attack.

SameSite attribute not used

An upcoming standard, SameSite cookies, creates more secure cookies that are sent only on requests that originate from the same site that issued them. They are designed to prevent Cross-Site Request Forgery (CSRF) or at least make it more difficult.

Name prefix not used

Cookie name prefixes are a recent improvement that enable web application developers to opt-in into a more secure type of cookies. Virtually all cookies would benefit from using either the '__Secure-' or the '__Host-' prefix. The former ensures that a plaintext cookie can't overwrite a secure cookie. The latter ensures that the cookie is sent back only to the host that issued it.

Mixed Content

On virtually all web sites, HTML markup, images, style sheets, JavaScript, and other page resources arrive not only over multiple connections but possibly from multiple servers and sites spread across the entire Internet. For a page to be properly encrypted, it’s necessary that all the content is retrieved over HTTPS. In practice, that’s very often not the case, leading to mixed content security problems.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Embedded Resources

In this section we look at the security of all embedded resources. Mixed active content occurs when there are unprotected scripts or styles embedded in a page. This is typically not allowed by modern browsers. Mixed passive content (images, videos and such) are typically allowed, but shouldn't be present.

3 script(s)
3 out of 3 are secure View all

Status	Link
Encrypted	https://www.admin.ch/...ranite/jquery.min.js
Encrypted	https://www.admin.ch/...granite/utils.min.js
Encrypted	https://platform.twitter.com/widgets.js

3 CSS file(s)
3 out of 3 are secure View all

Status	Link
Encrypted	https://www.admin.ch/...d/guidelines.min.css
Encrypted	https://www.admin.ch/...tend/modules.min.css
Encrypted	https://www.admin.ch/...frontend/modules.css

17 media file(s)
17 out of 17 are secure View all

Status	Link
Encrypted	https://www.admin.ch/...idgenossenschaft.png
Encrypted	https://www.admin.ch/...elines/img/swiss.svg
Encrypted	https://www.admin.ch/...chneider_386x391.png
Encrypted	https://www.admin.ch/...o_cassis_386x391.png
Encrypted	https://www.admin.ch/...r_sutter_386x391.png
Encrypted	https://www.admin.ch/...a_amherd_386x391.png
Encrypted	https://www.admin.ch/...parmelin_386x391.png
Encrypted	https://www.admin.ch/...t_roesti_386x391.png
Encrypted	https://www.admin.ch/...eat_jans_386x391.png
Encrypted	https://www.admin.ch/...iner-Teaser-RZ01.jpg
Encrypted	https://www.admin.ch/...renz-Teaser-RZ01.png
Encrypted	https://www.admin.ch/...icht-Teaser-RZ01.png
Encrypted	https://www.admin.ch/...rbot-Teaser-RZ01.png
Encrypted	https://www.youtube.com/embed/videoseries
Encrypted	https://www.admin.ch/...oteinfo_appstore.png
Encrypted	https://www.admin.ch/...einfo_googleplay.png
Encrypted	https://www.admin.ch/...idgenossenschaft.png

Outbound Links

Ideally, an encrypted page should only have links that lead to other encrypted pages. If plaintext links are used, passive network attackers can see where people go after they visit your web site. It's also possible that some sensitive information is leaked in the Referer header.

32 link(s)
26 out of 32 are encrypted

http://www.eda.admin.ch/eda/de/home.html

http://www.ejpd.admin.ch/ejpd/de/home.html

http://www.efd.admin.ch

http://www.wbf.admin.ch/

http://www.parlament.ch/.../Seiten/default.aspx

http://www.eidgenoessischegerichte.ch

View all

Status	Link
Encrypted	https://www.bk.admin.ch/bk/de/home.html
Plaintext	http://www.eda.admin.ch/eda/de/home.html
Encrypted	https://www.edi.admin.ch/edi/de/home.html
Plaintext	http://www.ejpd.admin.ch/ejpd/de/home.html
Encrypted	https://www.vbs.admin.ch/de
Plaintext	http://www.efd.admin.ch
Plaintext	http://www.wbf.admin.ch/
Encrypted	https://www.uvek.admin.ch/uvek/de/home.html
Encrypted	https://www.fedlex.admin.ch/de/home
Encrypted	https://www.youtube.com/watch
Encrypted	https://www.youtube.com/live/CsUuYBbGBQ0
Encrypted	https://youtube.com/playlist
Encrypted	https://twitter.com/BR_Sprecher
Encrypted	https://www.newsd.admin.ch/newsd/feeds/rss
Plaintext	http://www.parlament.ch/.../Seiten/default.aspx
Plaintext	http://www.eidgenoessischegerichte.ch
Encrypted	https://www.staatskalender.admin.ch/home
Encrypted	https://www.stelle.admin.ch/stelle/de/home.html
Encrypted	https://www.ch.ch/de/demokratie/
Encrypted	https://www.ch.ch/de
Encrypted	https://www.ch.ch/...rkehr/bussenkatalog/
Encrypted	https://www.ch.ch/...thaltsbewilligungen/
Encrypted	https://www.ch.ch/...gung-arbeitsvertrag/
Encrypted	https://www.ch.ch/...liste-fur-den-umzug/
Encrypted	https://www.ch.ch/...-richtig-ausgefullt/
Encrypted	https://www.ch.ch/...rten/mehrwertsteuer/
Encrypted	https://twitter.com/BR_Sprecher
Encrypted	https://www.youtube.com/...gliofederalesvizzero
Encrypted	https://www.instagram.com/gov.ch/
Encrypted	https://twitter.com/SwissGov
Encrypted	https://itunes.apple.com/ch/app/id1434819062
Encrypted	https://play.google.com/store/apps/details

Analysis

Plaintext outbound links in HTTPS page

When outbound links are not encrypted, a passive network attacker can see where your users go after visiting your web site.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

HSTS Policy Main host

URL from which this policy was obtained.Location	https://www.admin.ch/
Specifies policy duration. Once activated, HSTS stays in force until this time lapses. Browsers update policy cache duration every time they receive a new HSTS header from a site.max‑age	31,536,000 seconds (about 1 year)
When present, this directive forces HSTS activation on allsubdomains. For best security, HSTS should be deployed on the bare domain name (e.g., example.com) and all its subdomains.includeSubDomains
Presence of this directive indicates that a web site wishes to permanently use HSTS and that its policy information should be preloaded (embedded in browsers).preload

Analysis

Policy is valid

OK. Your HSTS policy uses correct syntax.

Long policy age

Your HSTS policy has a long max-age value, which offers better protection.

No subdomains

This HSTS policy doesn't cover subdomains, which is a requirement for preloading. Additionally, without full coverage, HSTS can't protect from certain cookie attacks that typically allow active network attackers to inject cookies into an application.

Redirection from HTTP to HTTPS to the same host

Good. The redirection from HTTP to HTTPS is to the same host. This approach ensures that HSTS is activated on the hostname when it's accessed via plaintext.

No parent protection

This host could benefit from further protection if the apex hostname would be configured with a HSTS policy that uses 'includeSubDomains'. Enabling HSTS on an entire domain name is the only approach that provides robust security.

Analysis

No HSTS on apex hostname

Even though the main host uses HSTS, the protection is not as good as it could be because the apex hostname doesn't have HSTS deployed. Without robust HSTS, attackers can sometimes abuse cookies and make up plaintext subdomains to use for phishing.

Location: https://admin.ch

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) enables site operators to restrict which certificates are considered valid for their domain names. With a valid HPKP configuration, sites can defeat man in the middle (MITM) attacks using fraudulent or misissued certificates. HPKP is an advanced feature, suitable for use by only high-profile web sites.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Content Security Policy

Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Subresource Integrity

Subresource Integrity (SRI) is a new standard that enables browsers to verify the integrity of embedded page resources (e.g., scripts and stylesheets) when they are loaded from third-party web sites. With SRI deployed, remote resources can be used safely, without fear of them being modified by malicious parties.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

3 script(s)
2 out of 3 are secure

https://platform.twitter.com/widgets.js

View all

Status	Link
Local	/etc.clientlibs/clientlibs/granite/jquery.min.js
Local	/etc.clientlibs/clientlibs/granite/utils.min.js
Remote	https://platform.twitter.com/widgets.js

3 CSS file(s)
3 out of 3 are secure View all

Status	Link
Local	/etc/designs/core/frontend/guidelines.min.css
Local	/etc/designs/core/frontend/modules.min.css
Local	/etc/designs/gov-frontend/modules.css

Analysis

SRI required

This page contains remote resources that are under the control of third parties. Deploy SRI to protect them from modification.

Expect CT

Expect-CT is a deprecated response HTTP header designed to enable web sites to monitor problems related to their Certificate Transparency (CT) compliance. Should any CT issues arise, browsers that supported this header will submit reports to the specified reporting endpoint. Chrome was the browser that introduced support for this response header, but later deprecated it and removed it in version 107.

Feature not applicable, not implemented, or disabled

Your server doesn't support this feature.

Analysis

Deploy Expect-CT to enable reporting

An Expect-CT policy enables web sites to monitor for any problems related to their Expect-CT compliance, detecting potentially serious issues quickly. When issues arise, compliant browsers will submit reports to the specified reporting endpoints. Before CT became required for all public certificates the Expect-CT was also used to require CT, but that use case no longer applies.

Frame Options

The X-Frame-Options header controls page framing, which occurs when a page is incorporated into some other page, possibly on a different site. If framing is allowed, attackers can employ clever tricks to make victims perform arbitrary actions on your site; they do this by showing their web site while forwarding the victim's clicks to yours.

Test passed

Everything seems to be well configured. Well done.

Analysis

Header information

Name: X-Frame-Options

Value: SAMEORIGIN

Framing allowed from the same origin only

OK. Your site allows page framing only from itself. This should generally be safe, except maybe on sites that host user content.

XSS Protection

Some browsers ship with so-called XSS Auditors, built-in defenses against XSS. Although these defenses work against simple reflective XSS attacks, they can be abused by skillful attackers to add weaknesses to otherwise secure web sites. These dangers are present in both filtering and blocking modes. At this time, the Safari browser ships with its XSS defenses enabled by default. For this reason, the best approach is to explicitly disable this functionality.

Test passed, but there are warnings

Some aspect of your site's configuration require your attention.

Analysis

Header information

Name: X-XSS-Protection

Value: 1

XSS auditor filtering is dangerous

Your configuration requests filtering when XSS attacks are detected, which is potentially dangerous as it allows attackers to selectively disable portions of JavaScript code. The only safe approach is to explicitly disable browser-based XSS protection.

Content Type Options

Some browsers use a technique called content sniffing to override response MIME types provided by HTTP servers and interpret responses as something else (usually HTML). This behavior, which could potentially lead to security issues, should be disabled by attaching an X-Content-Type-Options header to all responses.

Test passed

Everything seems to be well configured. Well done.

Analysis

Header information

Name: X-Content-Type-Options

Value: nosniff

Valid configuration

Good. Your configuration is valid. This means that browsers won't try to guess file MIME type on this web site.

Public Report | admin.ch

admin.ch

Domain Name System

Email

WWW

DNS Zone

Nameserver Names

Nameserver Addresses

Start of Authority (SOA) Record

Analysis

Backing DNS Queries

DNS Records

DNS Records

Backing DNS Queries

DNSSEC

Analysis

Useful DNSSEC Tools

Certification Authority Authorization

CAA Policy Information

Analysis

Email (SMTP)

Analysis

Email TLS (SMTP)

TLS Configuration: mx04.mail.admin.ch (162.23.23.170) Cached

Analysis

TLS Configuration: mailgate1.admin.ch (162.23.32.31) Cached

Analysis

TLS Configuration: mx03.mail.admin.ch (162.23.22.170) Cached

Analysis

TLS Configuration: mailgate2.admin.ch (162.23.32.32) Cached

Analysis

TLS Configuration: mx02.mail.admin.ch (162.23.23.160) Cached

Analysis

TLS Configuration: mx01.mail.admin.ch (162.23.22.160) Cached

Analysis

Email Certificates (SMTP)

Certificate #1 Cached

Analysis

Certificate Chain

Analysis

Certificate #2 Cached

Analysis

Certificate Chain

Analysis

Email DANE (SMTP)

DANE: mx04.mail.admin.ch (162.23.23.170)

Analysis

DANE: mx03.mail.admin.ch (162.23.22.170)

Analysis

DANE: mx02.mail.admin.ch (162.23.23.160)

Analysis

DANE: mx01.mail.admin.ch (162.23.22.160)

Analysis

SPF

SPF Policy Information Main policy

Analysis

SPF Policy Information Included policy

SPF Policy Information Included policy

SPF Policy Information Included policy

SPF Policy Information Included policy

SPF Policy Information Included policy

SPF Policy Information Included policy

SPF Policy Information Included policy

DMARC

DMARC Policy Information

Analysis

MTA Strict Transport Security

SMTP TLS Reporting

HTTP (80)

URL: http://admin.ch/

Analysis

URL: http://www.admin.ch/

Analysis

HTTP (443)

URL: https://admin.ch/

URL: https://www.admin.ch/

WWW TLS

TLS Configuration: admin.ch (162.23.130.190)

Analysis

TLS Configuration: www.admin.ch (108.139.47.96)