Hardenize Report: skiff.com

Web sites need to use encryption to help their visitors know they're in the right place, as well as provide confidentiality and content integrity. Sites that don't support HTTPS may expose sensitive data and have their pages modified and subverted.

For all sites VERY IMPORTANT medium EFFORT

HTTPS Redirection

To deploy HTTPS properly, web sites must redirect all unsafe (plaintext) traffic to the encrypted variant. This approach ensures that no sensitive data is exposed and that further security technologies can be activated.

For all sites VERY IMPORTANT low EFFORT

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTPS extension that instructs browsers to remember sites that use encryption and enforce strict security requirements. Without HSTS, active network attacks are easy to carry out.

For important sites VERY IMPORTANT medium EFFORT

HSTS Preloaded

HSTS Preloading is informing browsers in advance about a site's use of HSTS, which means that strict security can be enforced even on the first visit. This approach provides best HTTPS security available today.

For important sites VERY IMPORTANT medium EFFORT

Content Security Policy

Content Security Policy (CSP) is an additional security layer that enables web sites to control browser behavior, creating a safety net that can counter attacks such as cross-site scripting.

For important sites IMPORTANT high EFFORT

Email Security Overview

STARTTLS

All hosts that receive email need encryption to ensure confidentiality of email messages. Email servers thus need to support STARTTLS, as well as provide decent TLS configuration and correct certificates.

For all sites VERY IMPORTANT low EFFORT

SPF

Sender Policy Framework (SPF) enables organizations to designate servers that are allowed to send email messages on their behalf. With SPF in place, spam is easier to identify.

For important sites IMPORTANT low EFFORT

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a mechanism that allows organizations to specify how unauthenticated email (identified using SPF and DKIM) should be handled.

For important sites IMPORTANT low EFFORT

DNS Zone

The global DNS infrastructure is organized as a series of hierarchical DNS zones. The root zone hosts a number of global and country TLDs, which in turn host further zones that are delegated to their customers. Each organization that controls a zone can delegate parts of its namespace to other zones. In this test we perform detailed inspection of a DNS zone, but only if the host being tested matches the zone.

Test passed

Everything seems to be well configured. Well done.

Nameserver Names

Nameservers can be referred to by name and by address. In this section we show the names, which can appear in the NS records, the referrals from the parent zone, and the SOA record. In some situations, servers from the parent zone respond authoritatively, in which case we will include them in the list as well.

Nameserver	Operational	IPv4	IPv6	Sources
heidi.ns.cloudflare.com. PRIMARY 108.162.194.236 162.159.38.236 172.64.34.236 2606:4700:50::a29f:26ec 2803:f800:50::6ca2:c2ec 2a06:98c1:50::ac40:22ec				SOA NS REFERRAL
yevgen.ns.cloudflare.com. 108.162.195.223 162.159.44.223 172.64.35.223 2606:4700:58::a29f:2cdf 2803:f800:50::6ca2:c3df 2a06:98c1:50::ac40:23df				NS REFERRAL

Nameserver Addresses

This section shows the configuration of all discovered nameservers by their IP address. To find all applicable nameservers, we inspect the parent zone nameservers for names and glue and then the tested zone nameservers for NS records. We then resolve all discovered names to IP addresses. Finally, we test each address individually.

Nameserver	Sources	Payload Size
108.162.194.236 PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
108.162.195.223 yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232
162.159.38.236 PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
162.159.44.223 yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232
172.64.34.236 PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
172.64.35.223 yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232
2606:4700:50::a29f:26ec PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
2606:4700:58::a29f:2cdf yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232
2803:f800:50::6ca2:c2ec PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
2803:f800:50::6ca2:c3df yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232
2a06:98c1:50::ac40:22ec PRIMARY heidi.ns.cloudflare.com. PTR: heidi.ns.cloudflare.com.	NAME, GLUE	1232
2a06:98c1:50::ac40:23df yevgen.ns.cloudflare.com. PTR: yevgen.ns.cloudflare.com.	NAME, GLUE	1232

Start of Authority (SOA) Record

Start of Authority (SOA) records contain administrative information pertaining to one DNS zone, especially the configuration that's used for zone transfers between the primary nameserver and the secondaries. Only one SOA record should exist, with all nameservers providing the same information.

The domain name of the primary nameserver for the zone. Also known as MNAME.Primary nameserver	heidi.ns.cloudflare.com.
Email address of the persons responsible for this zone. Also known as RNAME.Admin email	dns.cloudflare.com.
Zone serial or version number.Serial number	-1973515242
The length of time secondary nameservers should wait before querying the primary for changes.Refresh interval	10,000 seconds (about 2 hours 46 minutes)
The length of time secondary nameservers should wait before querying an unresponsive primary again.Retry interval	2,400 seconds (about 40 minutes)
The length of time after which secondary nameservers should stop responding to queries for a zone, assuming no updates were obtained from the primary.Expire interval	604,800 seconds (about 7 days)
TTL for purposes of negative response caching. Negative cache TTL	1,800 seconds (about 30 minutes)
Time To Live (TTL) indicates for how long a record remains valid. SOA record TTL	1,800 seconds (about 30 minutes)

Analysis

No problems detected with the zone configuration

Excellent. This DNS zone is in a good working order. No problems detected.

Backing DNS Queries

Below are all DNS queries we submitted during the zone inspection.

	ID	Server	Transport	Question Name	Type	Status

DNS Records

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

Test passed

Everything seems to be well configured. Well done.

DNS Records

These are the results of individual DNS queries against your nameserver for common resource record types.

Name	TTL	Type	Data
skiff.com.	300	A	172.66.41.24
skiff.com.	300	A	172.66.42.232
www.skiff.com.	300	A	172.66.42.232
www.skiff.com.	300	A	172.66.41.24
skiff.com.	300	AAAA	2606:4700:3108:0:0:0:ac42:2ae8
skiff.com.	300	AAAA	2606:4700:3108:0:0:0:ac42:2918
www.skiff.com.	300	AAAA	2606:4700:3108:0:0:0:ac42:2ae8
www.skiff.com.	300	AAAA	2606:4700:3108:0:0:0:ac42:2918
skiff.com.	300	CAA	0 iodef "mailto:security@skiff.org"
skiff.com.	300	CAA	0 issue "amazon.com"
skiff.com.	300	CAA	0 issue "letsencrypt.org"
skiff.com.	3600	DNSKEY	256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==
skiff.com.	3600	DNSKEY	257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
skiff.com.	300	MX	1 inbound-smtp.skiff.com.
skiff.com.	86400	NS	yevgen.ns.cloudflare.com.
skiff.com.	86400	NS	heidi.ns.cloudflare.com.
skiff.com.	1800	SOA	heidi.ns.cloudflare.com. dns.cloudflare.com. 2321452054 10000 2400 604800 1800
skiff.com.	60	TXT	"google-site-verification=CL9hOZcRvcPB3MbzIXK0lM5inm88rQzeKIwAj5u673g"
skiff.com.	60	TXT	"google-site-verification=cFZeODTSuzK_Uf5hsbkK-4Lf6yowQILKcBgM-sePmRY"
skiff.com.	60	TXT	"v=spf1 ip4:34.223.139.255 ip4:52.33.229.188 ip4:52.27.131.180 ip4:44.233.0.116 ip4:35.82.207.188 ip4:35.166.143.94 -all"
skiff.com.	60	TXT	"<03.15.2023>"
skiff.com.	60	TXT	"IR-a9c30691a111329d3b4a129ef44357e0ce6cfeffad73d9fcb68fd7ea6265a363"
skiff.com.	60	TXT	"MS=ms46306238"
skiff.com.	60	TXT	"MS=ms76043800"
skiff.com.	60	TXT	"MS=ms81723164"
skiff.com.	60	TXT	"ca3-dbb30cfd8fa64b0daec218ba57140e5b"
skiff.com.	60	TXT	"google-site-verification=4STeRgj8YkMzj__BsCqeIy08lfo83rGyzYwpcxREW3s"
skiff.com.	60	TXT	"google-site-verification=BKa9NWFnlHAivSYuEKaIzWni7qjFiVlBNHWqOHN-UxQ"
_dmarc.skiff.com.	300	TXT	"v=DMARC1;p=reject;pct=100;adkim=s;aspf=r;rua=mailto:rua-com@skiff.org,mailto:re+b36bf17d2996@inbound.dmarcdigests.com;ruf=mailto:ruf-com@skiff.org;fo=1;"
_mta-sts.skiff.com.	300	TXT	"v=STSv1; id=202305220217"
_smtp._tls.skiff.com.	300	TXT	"v=TLSRPTv1; rua=https://tlsrpt.skiff.com"

Backing DNS Queries

Below are all DNS queries we submitted while inspecting the resource records.

	ID	Server	Question Name	Type	Status

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Test passed

Everything seems to be well configured. Well done.

Analysis

DNSSEC is well configured

Good. This domain name has well-configured DNSSEC.

Useful DNSSEC Tools

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Test passed

Everything seems to be well configured. Well done.

CAA Policy Information

The DNS hostname where this policy is located.Policy host	skiff.com
The iodef property specifies a means of reporting certificate issue requests or cases of certificate issue for the corresponding domain that violate the security policy of the issuer or the domain name holder.iodef	mailto:security@skiff.org flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	amazon.com flags: 0
The issue property tag is used to request that certificate issuers perform CAA issue restriction processing for the domain and to grant authorization to specific certificate issuers.issue	letsencrypt.org flags: 0

Analysis

CAA policy found

Good. This domain name uses CAA to restrict which CAs are allowed to issue certificates for it.

Policy uses reporting

Great. This policy uses reporting, which means that your contact information is available should someone need to contact you about a CAA violation. Do note that you're not guaranteed to be notified, given that CAs generally don't support notifications yet.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

Test passed

Everything seems to be well configured. Well done.

Server

Preference

Operational

STARTTLS

TLS

PKI

DNSSEC

DANE

inbound-smtp.skiff.com
54.70.29.253
PTR: inbound-smtp.skiff.com

inbound-smtp.skiff.com
52.88.57.209
PTR: inbound-smtp.skiff.com

inbound-smtp.skiff.com
52.27.246.88
PTR: inbound-smtp.skiff.com

Analysis

Email servers match MTA-STS policy

Good. This host supports MTA-STS, which means that it restricts which MX servers can be used and how they are configured. We've verified that all MX servers listed here match the policy.

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test passed

Everything seems to be well configured. Well done.

TLS Configuration: inbound-smtp.skiff.com (54.70.29.253)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc061 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc060 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits)

Analysis

TLS 1.2 supported

Good. This server supports TLS 1.2, which can provide strong security when configured correctly. This version of the TLS protocol is necessary to provide good security with a wide range of clients that don't yet support TLS 1.3.

Server enforces cipher suite preferences

Excellent. This server enforces server cipher suite preference, which means that it is able to select the best suite from the options submitted by clients. Combined with a well designed list of supported cipher suites, this settings enables negotiation of best security.

Strong key exchange detected

Excellent. All cipher suites on this server rely on strong key exchange. The sweet spot is 2048 bits for DHE and 256 bits for ECDHE. Putting ECDHE suites first guarantees best security and best performance.

Server prefers forward secrecy and authenticated encryption suites

Excellent. Not only does this server enforce its server preference, but it also has at the top of the list suites that support both forward secrecy and authenticated encryption. This is the best TLS 1.2 can offer.

Relaxed TLS assessment criteria applied to SMTP on port 25

We apply relaxed assessment criteria when evaluating TLS configuration of SMTP servers on port 25. This is because most delivery agents fall back to delivering via plaintext on failure to negotiate encryption. Some configuration elements that can be abused to attack other ports and protocols (e.g., SSLv2 and export cipher suites) are penalized in the same way as for other protocols. We will review this policy in the future.

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: inbound-smtp.skiff.com (52.88.57.209)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc061 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc060 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits)

Analysis

TLS 1.2 supported

Server enforces cipher suite preferences

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Relaxed TLS assessment criteria applied to SMTP on port 25

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: inbound-smtp.skiff.com (52.27.246.88)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 Suite ID: 0xc061 Cipher name: ARIA Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Suite ID: 0xc060 Cipher name: ARIA Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits)

Analysis

TLS 1.2 supported

Server enforces cipher suite preferences

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Relaxed TLS assessment criteria applied to SMTP on port 25

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Test passed

Everything seems to be well configured. Well done.

Certificate #1

Leaf certificate

inbound-smtp.skiff.com
Issuer: Sectigo
Not Before: 30 Nov 2022 00:00:00 UTC
Not After: 30 Nov 2023 23:59:59 UTC (expires in 2 months 1 day)
Key: RSA 2048 bits
Signature: SHA384withRSA
View details

Names	inbound-smtp.skiff.com www.inbound-smtp.skiff.com
Subject DN	CN=inbound-smtp.skiff.com
Subject Key Identifier	b9fe80eed6a9919c42f6a3f0fb3aa8e54713a194
Serial	77dc45929fd6f49c9d5e81e5cf8039d1
Not Before	30 Nov 2022 00:00:00 UTC
Not After	30 Nov 2023 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:c8d97868a2d91968d53d72de5f0a3edcb58686a6
Parent Certificate	http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
OCSP	http://zerossl.ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	30 Nov 2022 08:19:02 UTC \| Google 'Xenon2023' log \| Qualified 30 Nov 2022 08:19:02 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 30 Nov 2022 08:19:02 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	619c609f401a98bda13e41339e975751746b20d1
SHA256	58587c6a96d0d533ae973f90202ee3e094eafcaf5288cee28f16579002fcb81c
SPKI SHA256	fe405be2565e130ba1efbe807276652c8033edd893e431ae85c2bc9862c96b1b

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

inbound-smtp.skiff.com | 58587c6
Not After: 30 Nov 2023 23:59:59 UTC (expires in 2 months 1 day)
Authentication: RSA 2048 bits (SHA384withRSA)
View details

Names	inbound-smtp.skiff.com www.inbound-smtp.skiff.com
Subject DN	CN=inbound-smtp.skiff.com
Subject Key Identifier	b9fe80eed6a9919c42f6a3f0fb3aa8e54713a194
Serial	77dc45929fd6f49c9d5e81e5cf8039d1
Not Before	30 Nov 2022 00:00:00 UTC
Not After	30 Nov 2023 23:59:59 UTC
Validity period	366 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
Certification Authority	Sectigo
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:c8d97868a2d91968d53d72de5f0a3edcb58686a6
Parent Certificate	http://zerossl.crt.sectigo.com/ZeroSSLRSADomainSecureSiteCA.crt
OCSP	http://zerossl.ocsp.sectigo.com
Certificate Transparency
Signed Certificate Timestamps	30 Nov 2022 08:19:02 UTC \| Google 'Xenon2023' log \| Qualified 30 Nov 2022 08:19:02 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 30 Nov 2022 08:19:02 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	619c609f401a98bda13e41339e975751746b20d1
SHA256	58587c6a96d0d533ae973f90202ee3e094eafcaf5288cee28f16579002fcb81c
SPKI SHA256	fe405be2565e130ba1efbe807276652c8033edd893e431ae85c2bc9862c96b1b

Intermediate certificate

ZeroSSL RSA Domain Secure Site CA | 21acc1d
Not After: 29 Jan 2030 23:59:59 UTC (expires in 6 years 4 months)
Authentication: RSA 4096 bits (SHA384withRSA)
View details

Subject DN	CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT
Subject Key Identifier	c8d97868a2d91968d53d72de5f0a3edcb58686a6
Serial	6c55abdbd00792c79d070cd8119ed6bf
Not Before	30 Jan 2020 00:00:00 UTC
Not After	29 Jan 2030 23:59:59 UTC
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	serverAuth, clientAuth
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Not Applicable
Authority Key Identifier	keyid:5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Parent Certificate	http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
CRL	http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
OCSP	http://ocsp.usertrust.com
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34
SHA256	21acc1dbd6944f9ac18c782cb5c328d6c2821c6b63731fa3b8987f5625de8a0d
SPKI SHA256	47785c30e006c34585cedb86dac913a1da07a7c20689ddd083adc29fb6146283

Root certificate

USERTrust RSA Certification Authority | e793c9b
Not After: 18 Jan 2038 23:59:59 UTC (expires in 14 years 3 months)
Authentication: RSA 4096 bits (SHA384withRSA)
View details

Subject DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Subject Key Identifier	5379bf5aaa2b4acf5480e1d89bc09df2b20366cb
Serial	1fd6d30fca3ca51a81bbc640e35032d
Not Before	01 Feb 2010 00:00:00 UTC
Not After	18 Jan 2038 23:59:59 UTC
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Certification Authority	Sectigo
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e
SHA256	e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd2
SPKI SHA256	c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Test passed

Everything seems to be well configured. Well done.

DANE: inbound-smtp.skiff.com (54.70.29.253)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	Certificate (0)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	58587c6a96d0d533ae973f90202ee3e094eafcaf5288cee28f16579002fcb81c Leaf certificate: RSA 2048 bits Subject: CN=inbound-smtp.skiff.com Issuer: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT inbound-smtp.skiff.com (RSA 2048 bits)

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

DANE: inbound-smtp.skiff.com (52.88.57.209)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	Certificate (0)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	58587c6a96d0d533ae973f90202ee3e094eafcaf5288cee28f16579002fcb81c Leaf certificate: RSA 2048 bits Subject: CN=inbound-smtp.skiff.com Issuer: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT inbound-smtp.skiff.com (RSA 2048 bits)

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

DANE: inbound-smtp.skiff.com (52.27.246.88)

Specifies which certificate in the chain is being pinned and how validation should be performed.Certificate Usage	Domain-issued certificate / DANE-EE (3)
Determines if the association is made with a certificate or with a public key (via its SPKI structure).Selector	Certificate (0)
Determines how matching is done; directly or via a hash. Matching Type	SHA2-256 (1)
Contains the data necessary to perform the matching. Data	58587c6a96d0d533ae973f90202ee3e094eafcaf5288cee28f16579002fcb81c Leaf certificate: RSA 2048 bits Subject: CN=inbound-smtp.skiff.com Issuer: CN=ZeroSSL RSA Domain Secure Site CA, O=ZeroSSL, C=AT inbound-smtp.skiff.com (RSA 2048 bits)

Analysis

Valid DANE configuration

Excellent. Your DANE configuration matches the certificate chain(s) provided by the service. Your TLS configuration enjoys the additional benefit of DANE validation.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

Test passed

Everything seems to be well configured. Well done.

SPF Policy Information Main policy

Host where this policy is located.Location	skiff.com
SPF version used by this policy.v	spf1
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	34.223.139.255
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	52.33.229.188
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	52.27.131.180
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	44.233.0.116
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	35.82.207.188
This mechanism tests whether the IP address being tested is contained within a given IPv4 network. ip4	35.166.143.94
This policy element always matches. It's normally used at the end of a policy to specify the handling of hosts that don't match earlier mechanisms. -all

Analysis

SPF policy found

Policy text: v=spf1 ip4:34.223.139.255 ip4:52.33.229.188 ip4:52.27.131.180 ip4:44.233.0.116 ip4:35.82.207.188 ip4:35.166.143.94 -all

Location: skiff.com

SPF policy is valid

Good. Your SPF policy is syntactically valid.

Policy uses default fail

Excellent. This policy fails hosts that are not allowed to send email for this domain name.

Policy DNS lookups under limit

Good. Your policy stays under the limit of up to 10 DNS queries. The SPF specification Section 4.6.4. requires implementations to limit the total number of DNS queries. Policies that exceed the limit should not be used and may not work in practice.

Lookups: 0

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Test passed

Everything seems to be well configured. Well done.

DMARC Policy Information

The location from which we obtained this policy.Policy location	_dmarc.skiff.com
DMARC version used by this policy.v	DMARC1
Indicates the policy to be enacted by the receiver at the request of the domain owner. Possible values are: none, quarantine, and reject.p	reject
Percentage of messages from mail stream to which the DMARC policy is to be applied.pct	100
Indicates whether strict or relaxed DKIM alignment mode is required.adkim	s
Indicates whether strict or relaxed SPF alignment mode is required.aspf	r
Addresses to which aggregate feedback is to be sent.rua	mailto:rua-com@skiff.org,mailto:re+b36bf17d2996@inbound.dmarcdigests.com
Addresses to which message-specific failure information is to be reported.ruf	mailto:ruf-com@skiff.org
Configures failure reporting.fo	1

Analysis

DMARC policy found

Policy: v=DMARC1;p=reject;pct=100;adkim=s;aspf=r;rua=mailto:rua-com@skiff.org,mailto:re+b36bf17d2996@inbound.dmarcdigests.com;ruf=mailto:ruf-com@skiff.org;fo=1;

Host: _dmarc.skiff.com

Valid external destination

Permission record location: skiff.com._report._dmarc.skiff.org

External destination: mailto:rua-com@skiff.org

Permission record contents: v=DMARC1

Valid external destination

Permission record location: skiff.com._report._dmarc.inbound.dmarcdigests.com

External destination: mailto:re+b36bf17d2996@inbound.dmarcdigests.com

Permission record contents: v=DMARC1;

Policy is valid

Good. You have a valid DMARC policy.

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

Test passed

Everything seems to be well configured. Well done.

MTA-STS Policy Indicator

Location from which we retrieved the policy indicator.Location	_mta-sts.skiff.com
MTA-STS standard version used by this policy indicator.Version	STSv1
Unique policy identifier, whose value must change every time the underlying policy changes.ID	202305220217

Analysis

MTA-STS policy indicator valid

Good. Your MTA-STS policy indicator is valid.

MTA-STS Policy

The URL from which the policy was obtained.Location	https://mta-sts.skiff.com/.well-known/mta-sts.txt
Policy standard version.version	STSv1
Policy duration, which specifies how long the sending MTAs should remember and enforce the server policy for.max‑age	86,400 seconds (about 1 day)
Policy mode, which can be one of 'none', 'testing' and 'enforcing'. Guess which is best! :)mode	enforce
One 'mx' directive specifies one email server pattern that's allowed for this host.mx	inbound-smtp.skiff.com

Analysis

MTA-STS policy is valid

Good. Your MTA-STS policy is valid.

Policy host certificate is valid

Good. Your MTA-STS policy is delivered via a web server that has a valid publicly trusted certificate. This is a necessary condition for the policy to be recognized.

Policy HTTPS response information

Status code: 200

Length: 75 bytes

Content-Type: text/plain;charset=UTF-8

Certificate: mta-sts.skiff.com

Leaf certificate

skiff.com
Issuer: Let's Encrypt
Not Before: 02 Aug 2023 06:42:05 UTC
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Key: EC 256 bits
Signature: SHA384withECDSA
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Chain

Leaf certificate

skiff.com | ff77079
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Authentication: EC 256 bits (SHA384withECDSA)
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Intermediate certificate

E1 | 46494e3
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA384withECDSA)
View details

Subject DN	CN=E1, O=Let's Encrypt, C=US
Subject Key Identifier	5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Serial	b3bddff8a7845bbce903a04135b34a45
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Parent Certificate	http://x2.i.lencr.org/
CRL	http://x2.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	091e8ea1b256a312962af6c140c0fbf079a407b3
SHA256	46494e30379059df18be52124305e606fc59070e5b21076ce113954b60517cda
SPKI SHA256	276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

Intermediate certificate

ISRG Root X2 | 8b05b68
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Subject Key Identifier	7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Serial	79e492886376fd40848c23fc631e463
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	151682f5218c0a511c28f4060a73b9ca78ce9a53
SHA256	8b05b68cc659e5ed0fcb38f2c942fbfd200e6f2ff9f85d63c6994ef5e0b02701
SPKI SHA256	762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332

Intermediate certificate

ISRG Root X1 | 6d99fb2
Not After: 30 Sep 2024 18:14:03 UTC (expires in 1 year 1 day)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	4001772137d4e942b8ee76aa3c640ab7
Not Before	20 Jan 2021 19:14:03 UTC
Not After	30 Sep 2024 18:14:03 UTC
Validity period	1349 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Not Applicable
Authority Key Identifier	keyid:c4a7b1a47b2c71fadbe14b9075ffc41560858910
Parent Certificate	http://apps.identrust.com/roots/dstrootcax3.p7c
CRL	http://crl.identrust.com/DSTROOTCAX3CRL.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	933c6ddee95c9c41a40f9f50493d82be03ad87bf
SHA256	6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Root certificate

DST Root CA X3 | 0687260
Not After: 30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Authentication: RSA 2048 bits (SHA1withRSA)
View details

Subject DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Subject Key Identifier	c4a7b1a47b2c71fadbe14b9075ffc41560858910
Serial	44afb080d6a327ba893039862ef8406b
Not Before	30 Sep 2000 21:12:19 UTC
Not After	30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	dac9024f54d8f6df94935fb1732638ca6ad77c13
SHA256	0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
SPKI SHA256	563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

Test passed

Everything seems to be well configured. Well done.

TLS-RPT Policy

Location from which we retrieved the policy indicator.Location	_smtp._tls.skiff.com
TLS-RPT standard version used by this policy indicator.Version	TLSRPTv1
Reporting endpoints specified in the policy.Reporting Endpoints	https://tlsrpt.skiff.com

Analysis

SMTP TLS-RPT policy valid

Good. Your TLS-RPT policy is valid. SMTP TLS Reporting is a young standard that is not yet widely supported, but support is probably going to increase over time.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

Test passed

Everything seems to be well configured. Well done.

URL: http://skiff.com/

http://skiff.com/

HTTP/1.1 301 Moved Permanently

Date	Fri, 29 Sep 2023 06:09:57 GMT
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	max-age=3600
Expires	Fri, 29 Sep 2023 07:09:57 GMT
Location	https://skiff.com/
Set-Cookie	__cf_bm=1Obo0Dj_ibTH4fSSVbZ_ZGwcVpBYTvfWOL.rEvKuKMc-1695967797-0-AeIiJeWZ+BQ8OmbhE49584ghxIljoimjdIbhp/E+IaLTEmC52Dm4YCwSpCCGjM6KMCCeenRxd7mp4to/CDlXU40=; path=/; expires=Fri, 29-Sep-23 06:39:57 GMT; domain=.skiff.com; HttpOnly; SameSite=None
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TefOUbHpQR0ID78FzquGE4GBFONjJ%2FpSDi1bEKesmYepfiehK%2BN3Vs1%2Fv55PIpqAMvoKCgitye9m2AvpOtHkgFTm2%2Bi7ArQMaARHkAeM%2Bvl9we0fKwMG%2FNgUJg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
X-Content-Type-Options	nosniff
Server	cloudflare
CF-RAY	80e20f6fd80e20ae-IAD

https://skiff.com/

HTTP/1.1 200 OK

Date	Fri, 29 Sep 2023 06:09:57 GMT
Content-Type	text/html; charset=utf-8
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	public, max-age=0, must-revalidate
Link	</_next/static/css/84d9af3382b943f9.css>; rel="preload"; as=style
content-security-policy	default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; script-src-elem 'self' 'unsafe-inline' https://platform.twitter.com/js/ https://platform.twitter.com/widgets.js https://www.youtube.com https://cdn.matomo.cloud/skiff.matomo.cloud/matomo.js https://skiff.matomo.cloud/plugins/HeatmapSessionRecording/; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://hooks.slack.com/services/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 https://sdd9dua4.apicdn.sanity.io/ https://skiff.matomo.cloud https://skiff.zendesk.com https://static.cloudflareinsights.com https://marketing-site.skiff.com; font-src 'self' data:; frame-src 'self' https://platform.twitter.com/ https://www.youtube.com; img-src 'self' https://cdn.sanity.io https://i.ytimg.com; manifest-src 'self'; media-src 'self'; report-uri https://cspreports.skiff.com; worker-src 'self'
content-security-policy-report-only	require-trusted-types-for 'script'; report-uri https://cspreports.skiff.com
permissions-policy	accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
referrer-policy	strict-origin-when-cross-origin
x-content-type-options	nosniff
x-frame-options	DENY
x-xss-protection	0
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=HuO3fclwEHWPORDlgf1eI6gru8sPpR9ZYcsejG05vmZhTHe%2BwlmwBYOFA2xNcCA4akNdcNnwd26DjMaf1YP7e4b3%2Fo1Sq5BU%2FM9UJjLG2VHGOfMaX7ZnsW4CPLs%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
CF-Cache-Status	DYNAMIC
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
Server	cloudflare
CF-RAY	80e20f704ef59c70-IAD

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

URL: http://www.skiff.com/

http://www.skiff.com/

HTTP/1.1 301 Moved Permanently

Date	Fri, 29 Sep 2023 06:09:57 GMT
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	max-age=3600
Expires	Fri, 29 Sep 2023 07:09:57 GMT
Location	https://skiff.com/
Set-Cookie	__cf_bm=wsGdUll6pMGfzOuIYMrnkJItcJ0RT2jI7bLiLzbGoU8-1695967797-0-AXc4tUQndioKs6MVTx/kA3+QZF//q1+5ogxZZH+iM/UCVSkNKQAhHtC4wUl05gzG30fLDKEkn2UASGFAAQLhg3A=; path=/; expires=Fri, 29-Sep-23 06:39:57 GMT; domain=.skiff.com; HttpOnly; SameSite=None
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vsoVqc5eKS2yATHfEh%2BXwuPej24GGzU2LeztiylF7vNyRR7zX3u7P50uyqMPHKCmR9yzMJjEO1W2yuhWEawf0NsHEIbsbCkU7rgvGxW3Z7n8w4SFcAZmm%2Bm37jyl%2FQs%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
X-Content-Type-Options	nosniff
Server	cloudflare
CF-RAY	80e20f710aa21315-IAD

https://skiff.com/

HTTP/1.1 200 OK

Date	Fri, 29 Sep 2023 06:09:58 GMT
Content-Type	text/html; charset=utf-8
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	public, max-age=0, must-revalidate
Link	</_next/static/css/84d9af3382b943f9.css>; rel="preload"; as=style
content-security-policy	default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; script-src-elem 'self' 'unsafe-inline' https://platform.twitter.com/js/ https://platform.twitter.com/widgets.js https://www.youtube.com https://cdn.matomo.cloud/skiff.matomo.cloud/matomo.js https://skiff.matomo.cloud/plugins/HeatmapSessionRecording/; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://hooks.slack.com/services/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 https://sdd9dua4.apicdn.sanity.io/ https://skiff.matomo.cloud https://skiff.zendesk.com https://static.cloudflareinsights.com https://marketing-site.skiff.com; font-src 'self' data:; frame-src 'self' https://platform.twitter.com/ https://www.youtube.com; img-src 'self' https://cdn.sanity.io https://i.ytimg.com; manifest-src 'self'; media-src 'self'; report-uri https://cspreports.skiff.com; worker-src 'self'
content-security-policy-report-only	require-trusted-types-for 'script'; report-uri https://cspreports.skiff.com
permissions-policy	accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
referrer-policy	strict-origin-when-cross-origin
x-content-type-options	nosniff
x-frame-options	DENY
x-xss-protection	0
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OSzEcEn5h3prr1ZXfoGSkSHpPg5OSwFr30skDB%2BeY8GRE08Ldi0wy7KFiIPvI%2FXFGZ%2By9A4WwGYkWIz6UYbjQH5vNnwyqJaXLWbQNamfJ9jN6ZxTYoRPtspYVyPqM8O8FiefzS7RD28%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
CF-Cache-Status	DYNAMIC
Set-Cookie	__cf_bm=xDteWeGCNRAtwAGjYn2uxrL.1CllaLIU.q5JXNu.PYA-1695967798-0-AWzTc40jWL0CEuC/m8g6Rwu0FDBXeagFXfwxMjVj3yvNocbNYSFFJzn+aybuuvIkhZXxPao2GgJgkEkMSl5DGq4=; path=/; expires=Fri, 29-Sep-23 06:39:58 GMT; domain=.skiff.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
Server	cloudflare
CF-RAY	80e20f718cf16fbb-IAD

Analysis

HTTP redirects to HTTPS

Good. This plaintext HTTP server redirects to HTTPS.

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

Test passed

Everything seems to be well configured. Well done.

URL: https://skiff.com/

https://skiff.com/

HTTP/1.1 200 OK

Date	Fri, 29 Sep 2023 06:09:58 GMT
Content-Type	text/html; charset=utf-8
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	public, max-age=0, must-revalidate
Link	</_next/static/css/84d9af3382b943f9.css>; rel="preload"; as=style
content-security-policy	default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; script-src-elem 'self' 'unsafe-inline' https://platform.twitter.com/js/ https://platform.twitter.com/widgets.js https://www.youtube.com https://cdn.matomo.cloud/skiff.matomo.cloud/matomo.js https://skiff.matomo.cloud/plugins/HeatmapSessionRecording/; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://hooks.slack.com/services/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 https://sdd9dua4.apicdn.sanity.io/ https://skiff.matomo.cloud https://skiff.zendesk.com https://static.cloudflareinsights.com https://marketing-site.skiff.com; font-src 'self' data:; frame-src 'self' https://platform.twitter.com/ https://www.youtube.com; img-src 'self' https://cdn.sanity.io https://i.ytimg.com; manifest-src 'self'; media-src 'self'; report-uri https://cspreports.skiff.com; worker-src 'self'
content-security-policy-report-only	require-trusted-types-for 'script'; report-uri https://cspreports.skiff.com
permissions-policy	accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
referrer-policy	strict-origin-when-cross-origin
x-content-type-options	nosniff
x-frame-options	DENY
x-xss-protection	0
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=iouUTa5tt5IgO%2FPBTAX0BOQBASkZ3eI36PwppYgXvvXHd4R8%2BL%2FRgpgijNyT0oQqefn2b0joEwW2Mmhs9uv9M%2FDR47vss6yIXNcik%2B%2F0qtG2tnWXt5KLIFC56hA%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
CF-Cache-Status	DYNAMIC
Set-Cookie	__cf_bm=ZpyxzlxlpVuOcbDM6Rr6_SS0PNR9DdwJVTMKXFAmLSI-1695967798-0-Af2H6gyuzfOY9jh57/Vb4q2TwcO9CuMofBkDZo9rf5OgXmA/xOH8Zb8Simw+r4cPntlvaiuHDV6ddg9k/OsmOgc=; path=/; expires=Fri, 29-Sep-23 06:39:58 GMT; domain=.skiff.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
Server	cloudflare
CF-RAY	80e20f727b210847-IAD

URL: https://www.skiff.com/

https://www.skiff.com/

HTTP/1.1 301 Moved Permanently

Date	Fri, 29 Sep 2023 06:09:58 GMT
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	max-age=3600
Expires	Fri, 29 Sep 2023 07:09:58 GMT
Location	https://skiff.com/
Set-Cookie	__cf_bm=CrUFPBB4Cd6NYn9jtAVhhL3FAacIh1zdtstignpaqsg-1695967798-0-AZxaYTy9hd+8+oJzCKsnmzrc1ytETg5yRzIM4SlTMUAvLDIhEpwYa2ldGtTM7nXbYzJ0uutZpwGSrUpBgUgl+uY=; path=/; expires=Fri, 29-Sep-23 06:39:58 GMT; domain=.skiff.com; HttpOnly; Secure; SameSite=None
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0sFCLoR6EkiswxqVSaMNmEbvw%2F4GEvzoZoUDfn0IUPQmQh3bEF2xxC8DRSpSttlWqhIM8WLMQqzwDdp%2BBxEHcKwEFETtVta9PtKBMXtXwdMzBN3IuAkI%2BVU40%2F0O0ZU%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
X-Content-Type-Options	nosniff
Server	cloudflare
CF-RAY	80e20f737b3b2066-IAD

https://skiff.com/

HTTP/1.1 200 OK

Date	Fri, 29 Sep 2023 06:09:58 GMT
Content-Type	text/html; charset=utf-8
Transfer-Encoding	chunked
Connection	keep-alive
Cache-Control	public, max-age=0, must-revalidate
Link	</_next/static/css/84d9af3382b943f9.css>; rel="preload"; as=style
content-security-policy	default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; script-src-elem 'self' 'unsafe-inline' https://platform.twitter.com/js/ https://platform.twitter.com/widgets.js https://www.youtube.com https://cdn.matomo.cloud/skiff.matomo.cloud/matomo.js https://skiff.matomo.cloud/plugins/HeatmapSessionRecording/; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self' https://hooks.slack.com/services/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 https://sdd9dua4.apicdn.sanity.io/ https://skiff.matomo.cloud https://skiff.zendesk.com https://static.cloudflareinsights.com https://marketing-site.skiff.com; font-src 'self' data:; frame-src 'self' https://platform.twitter.com/ https://www.youtube.com; img-src 'self' https://cdn.sanity.io https://i.ytimg.com; manifest-src 'self'; media-src 'self'; report-uri https://cspreports.skiff.com; worker-src 'self'
content-security-policy-report-only	require-trusted-types-for 'script'; report-uri https://cspreports.skiff.com
permissions-policy	accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
referrer-policy	strict-origin-when-cross-origin
x-content-type-options	nosniff
x-frame-options	DENY
x-xss-protection	0
Report-To	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=OixULlA829IqqbtsDMdyVV3b8vlfUrbeF4Stfd2ZbeLJI%2BUNb1jc0VWqsx%2B6vDEIkmZ2vyHgweXLcPbpOR%2B2Dpbxm404tl%2F9sondwY16zoQWR0RVnCHLbkrtDaIWjXauYx1GXQL7LRo%3D"}],"group":"cf-nel","max_age":604800}
NEL	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary	Accept-Encoding
CF-Cache-Status	DYNAMIC
Set-Cookie	__cf_bm=EvwEbupvRI2JAxKjn12i1H7RJ_jE2hTy_43Vgc3s_OA-1695967798-0-Aa+G0gbCblNCUXXFBK07yF7LQvXcNZRheXH+v8dajrGUNQJSODWZLHc+wduLkulFiH043b08abFFCB3eliWjFoo=; path=/; expires=Fri, 29-Sep-23 06:39:58 GMT; domain=.skiff.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security	max-age=31536000; includeSubDomains; preload
Server	cloudflare
CF-RAY	80e20f73e81c82b0-IAD

WWW TLS

Test passed

Everything seems to be well configured. Well done.

TLS Configuration: skiff.com (2606:4700:3108:0:0:0:ac42:2918)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

Excellent. This server supports TLS 1.3, which is the latest revision of the TLS protocol and a significant improvement over earlier versions. Developed over a period of several years and extensively analyzed prior to the release, TLS 1.3 removed insecure features, and improved both security and performance.

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.skiff.com (2606:4700:3108:0:0:0:ac42:2918)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: skiff.com (2606:4700:3108:0:0:0:ac42:2ae8)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.skiff.com (2606:4700:3108:0:0:0:ac42:2ae8)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.skiff.com (172.66.42.232)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: skiff.com (172.66.42.232)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: skiff.com (172.66.41.24)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

TLS Configuration: www.skiff.com (172.66.41.24)

Encryption protocol version determines what features are available for negotiation between client and server.Supported protocols	TLS v1.3 TLS v1.2
Servers should always enforce their own cipher suite preference, as that is the only approach that guarantees that the best possible suite is selected.Server suite preference
Shows cipher suite configuration for this protocol version.TLS v1.3 Server preference	Suite: TLS_CHACHA20_POLY1305_SHA256 Suite ID: 0x1303 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_AES_128_GCM_SHA256 Suite ID: 0x1301 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_AES_256_GCM_SHA384 Suite ID: 0x1302 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ecdh_x25519 Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits)
Shows cipher suite configuration for this protocol version.TLS v1.2 Server preference	Suite: AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc14 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca9 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02b Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Suite ID: 0xc009 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc02c Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Suite ID: 0xc00a Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc023 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc024 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_ECDSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcc13 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 AGL_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 Suite ID: 0xcca8 Cipher name: CHACHA20 Cipher strength: 256 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0xc02f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Suite ID: 0xc013 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 Suite ID: 0x9c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 128 bits Suite: TLS_RSA_WITH_AES_128_CBC_SHA Suite ID: 0x2f Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_128_CBC_SHA 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0xc030 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Suite ID: 0xc014 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 Suite ID: 0x9d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: AEAD Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA384 TLS_RSA_WITH_AES_256_GCM_SHA384 256 bits Suite: TLS_RSA_WITH_AES_256_CBC_SHA Suite ID: 0x35 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA TLS_RSA_WITH_AES_256_CBC_SHA 256 bits Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0xc027 Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Suite ID: 0x3c Cipher name: AES Cipher strength: 128 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 128 bits Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Suite ID: 0xc028 Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: ECDHE_RSA Key exchange strength: EC ecdh_x25519 (256 bits) Forward secrecy: Yes PRF: SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256 bits (ECDHE 256 bits) Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Suite ID: 0x3d Cipher name: AES Cipher strength: 256 bits Cipher block size: 128 bits Cipher mode: CBC Key exchange: RSA Key exchange strength: 2048 bits Forward secrecy: No (WEAK) PRF: SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 256 bits
Signed Certificate Timestamps	TLS \| 02 Aug 2023 07:42:01 UTC \| Google 'Xenon2023' log \| Qualified TLS \| 02 Aug 2023 07:42:00 UTC \| Google 'Argon2023' log \| Qualified

Analysis

TLS 1.3 supported

TLS 1.2 supported

Deprecated protocols not supported

Excellent. This server doesn't support any of the deprecated protocol (TLS 1.1 and earlier).

Strong key exchange detected

Server prefers forward secrecy and authenticated encryption suites

Server enforces cipher suite preferences

All TLS connections with this server satisfy Apple's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

All TLS connections with this server satisfy Chrome's CT requirements

All TLS connections established with this server satisfy Chrome's CT requirements, using certificate, TLS extension, or OCSP response as SCT transport method.

SCT transports: CERT, TLS

DHE suites not supported

This server doesn't support the Diffie-Hellman (DH) key exchange.

WWW Certificates

Test passed

Everything seems to be well configured. Well done.

Certificate: skiff.com

Leaf certificate

skiff.com
Issuer: Let's Encrypt
Not Before: 02 Aug 2023 06:42:05 UTC
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Key: EC 256 bits
Signature: SHA384withECDSA
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Determining whether a certificate is considered valid is a complicated process that depends on the exact configuration of the validating party. For trust to be established, the certificate must form a chain that ends with a trusted root. In this section we evaluate the server's certificate against major root stores.

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

For a server certificate to be valid, it must be presented as part of a complete and valid certificate chain. The last certificate in the chain should be the root and is usually not included in the configuration.

Leaf certificate

skiff.com | ff77079
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Authentication: EC 256 bits (SHA384withECDSA)
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Intermediate certificate

E1 | 46494e3
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA384withECDSA)
View details

Subject DN	CN=E1, O=Let's Encrypt, C=US
Subject Key Identifier	5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Serial	b3bddff8a7845bbce903a04135b34a45
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Parent Certificate	http://x2.i.lencr.org/
CRL	http://x2.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	091e8ea1b256a312962af6c140c0fbf079a407b3
SHA256	46494e30379059df18be52124305e606fc59070e5b21076ce113954b60517cda
SPKI SHA256	276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

Intermediate certificate

ISRG Root X2 | 8b05b68
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Subject Key Identifier	7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Serial	79e492886376fd40848c23fc631e463
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	151682f5218c0a511c28f4060a73b9ca78ce9a53
SHA256	8b05b68cc659e5ed0fcb38f2c942fbfd200e6f2ff9f85d63c6994ef5e0b02701
SPKI SHA256	762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332

Intermediate certificate

ISRG Root X1 | 6d99fb2
Not After: 30 Sep 2024 18:14:03 UTC (expires in 1 year 1 day)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	4001772137d4e942b8ee76aa3c640ab7
Not Before	20 Jan 2021 19:14:03 UTC
Not After	30 Sep 2024 18:14:03 UTC
Validity period	1349 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Not Applicable
Authority Key Identifier	keyid:c4a7b1a47b2c71fadbe14b9075ffc41560858910
Parent Certificate	http://apps.identrust.com/roots/dstrootcax3.p7c
CRL	http://crl.identrust.com/DSTROOTCAX3CRL.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	933c6ddee95c9c41a40f9f50493d82be03ad87bf
SHA256	6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Root certificate

DST Root CA X3 | 0687260
Not After: 30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Authentication: RSA 2048 bits (SHA1withRSA)
View details

Subject DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Subject Key Identifier	c4a7b1a47b2c71fadbe14b9075ffc41560858910
Serial	44afb080d6a327ba893039862ef8406b
Not Before	30 Sep 2000 21:12:19 UTC
Not After	30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	dac9024f54d8f6df94935fb1732638ca6ad77c13
SHA256	0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
SPKI SHA256	563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: skiff.com

Leaf certificate

skiff.com
Issuer: Let's Encrypt
Not Before: 02 Aug 2023 06:42:00 UTC
Not After: 31 Oct 2023 06:41:59 UTC (expires in 1 month 2 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	a10ce47b9cfc627cd0124f61e53d867e1f05b8a2
Serial	3fc4ab18ac6bd40f3d0cf461a6bf229dddf
Not Before	02 Aug 2023 06:42:00 UTC
Not After	31 Oct 2023 06:41:59 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:00 UTC \| Let's Encrypt 'Oak2023' log \| Qualified 02 Aug 2023 07:42:00 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified
Fingerprints
SHA1	a347786d73ce2804f8edcc3226f25704e06f0a91
SHA256	f9798074acd137b7dcafa4b2a57f5be17eef4603f4bc4f2214ea8143949dfaf8
SPKI SHA256	6d2b8f667e54feb0055f4a78347105e26c64b8a87523a628f12d04ecb87625eb

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

Leaf certificate

skiff.com | f979807
Not After: 31 Oct 2023 06:41:59 UTC (expires in 1 month 2 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	a10ce47b9cfc627cd0124f61e53d867e1f05b8a2
Serial	3fc4ab18ac6bd40f3d0cf461a6bf229dddf
Not Before	02 Aug 2023 06:42:00 UTC
Not After	31 Oct 2023 06:41:59 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:00 UTC \| Let's Encrypt 'Oak2023' log \| Qualified 02 Aug 2023 07:42:00 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified
Fingerprints
SHA1	a347786d73ce2804f8edcc3226f25704e06f0a91
SHA256	f9798074acd137b7dcafa4b2a57f5be17eef4603f4bc4f2214ea8143949dfaf8
SPKI SHA256	6d2b8f667e54feb0055f4a78347105e26c64b8a87523a628f12d04ecb87625eb

Intermediate certificate

R3 | 67add11
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=R3, O=Let's Encrypt, C=US
Subject Key Identifier	142eb317b75856cbae500940e61faf9d8b14c2c6
Serial	912b084acf0c18a753f6d62e25a75f5a
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a053375bfe84e8b748782c7cee15827a6af5a405
SHA256	67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
SPKI SHA256	8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Intermediate certificate

ISRG Root X1 | 6d99fb2
Not After: 30 Sep 2024 18:14:03 UTC (expires in 1 year 1 day)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	4001772137d4e942b8ee76aa3c640ab7
Not Before	20 Jan 2021 19:14:03 UTC
Not After	30 Sep 2024 18:14:03 UTC
Validity period	1349 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Not Applicable
Authority Key Identifier	keyid:c4a7b1a47b2c71fadbe14b9075ffc41560858910
Parent Certificate	http://apps.identrust.com/roots/dstrootcax3.p7c
CRL	http://crl.identrust.com/DSTROOTCAX3CRL.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	933c6ddee95c9c41a40f9f50493d82be03ad87bf
SHA256	6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Root certificate

DST Root CA X3 | 0687260
Not After: 30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Authentication: RSA 2048 bits (SHA1withRSA)
View details

Subject DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Subject Key Identifier	c4a7b1a47b2c71fadbe14b9075ffc41560858910
Serial	44afb080d6a327ba893039862ef8406b
Not Before	30 Sep 2000 21:12:19 UTC
Not After	30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	dac9024f54d8f6df94935fb1732638ca6ad77c13
SHA256	0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
SPKI SHA256	563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: www.skiff.com

Leaf certificate

skiff.com
Issuer: Let's Encrypt
Not Before: 02 Aug 2023 06:42:05 UTC
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Key: EC 256 bits
Signature: SHA384withECDSA
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

Leaf certificate

skiff.com | ff77079
Not After: 31 Oct 2023 06:42:04 UTC (expires in 1 month 2 days)
Authentication: EC 256 bits (SHA384withECDSA)
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	1de674dc339128181c201471ac9331643fccb3f1
Serial	3e83edb6950fe125891e11363e4ebdb255d
Not Before	02 Aug 2023 06:42:05 UTC
Not After	31 Oct 2023 06:42:04 UTC
Validity period	90 days
Key Usage	digitalSignature
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=E1, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Parent Certificate	http://e1.i.lencr.org/
OCSP	http://e1.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:05 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified 02 Aug 2023 07:42:05 UTC \| Google 'Argon2023' log \| Qualified
Fingerprints
SHA1	4f672023431946484d9c862b58e3589303cf7cd5
SHA256	ff7707964d9d9fbe23111e612fd64273ee3000f86438184b0a4909490ed962c7
SPKI SHA256	9d807b452f1c7be773a0df3b97ea5f0cc982295eff44f831032b9eb8d764171f

Intermediate certificate

E1 | 46494e3
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA384withECDSA)
View details

Subject DN	CN=E1, O=Let's Encrypt, C=US
Subject Key Identifier	5af3ed2bfc36c23779b95230ea546fcf55cb2eac
Serial	b3bddff8a7845bbce903a04135b34a45
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Parent Certificate	http://x2.i.lencr.org/
CRL	http://x2.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	091e8ea1b256a312962af6c140c0fbf079a407b3
SHA256	46494e30379059df18be52124305e606fc59070e5b21076ce113954b60517cda
SPKI SHA256	276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10

Intermediate certificate

ISRG Root X2 | 8b05b68
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: EC 384 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X2, O=Internet Security Research Group, C=US
Subject Key Identifier	7c4296aede4b483bfa92f89e8ccf6d8ba9723795
Serial	79e492886376fd40848c23fc631e463
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	151682f5218c0a511c28f4060a73b9ca78ce9a53
SHA256	8b05b68cc659e5ed0fcb38f2c942fbfd200e6f2ff9f85d63c6994ef5e0b02701
SPKI SHA256	762195c225586ee6c0237456e2107dc54f1efc21f61a792ebd515913cce68332

Intermediate certificate

ISRG Root X1 | 6d99fb2
Not After: 30 Sep 2024 18:14:03 UTC (expires in 1 year 1 day)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	4001772137d4e942b8ee76aa3c640ab7
Not Before	20 Jan 2021 19:14:03 UTC
Not After	30 Sep 2024 18:14:03 UTC
Validity period	1349 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Not Applicable
Authority Key Identifier	keyid:c4a7b1a47b2c71fadbe14b9075ffc41560858910
Parent Certificate	http://apps.identrust.com/roots/dstrootcax3.p7c
CRL	http://crl.identrust.com/DSTROOTCAX3CRL.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	933c6ddee95c9c41a40f9f50493d82be03ad87bf
SHA256	6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Root certificate

DST Root CA X3 | 0687260
Not After: 30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Authentication: RSA 2048 bits (SHA1withRSA)
View details

Subject DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Subject Key Identifier	c4a7b1a47b2c71fadbe14b9075ffc41560858910
Serial	44afb080d6a327ba893039862ef8406b
Not Before	30 Sep 2000 21:12:19 UTC
Not After	30 Sep 2021 14:01:15 UTC (expired 1 year 11 months ago)
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Self-signed
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	dac9024f54d8f6df94935fb1732638ca6ad77c13
SHA256	0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
SPKI SHA256	563b3caf8cfef34c2335caf560a7a95906e8488462eb75ac59784830df9e5b2b

Analysis

Certificate chain is correct

Good. This chain contains all the right certificates and in the right order.

Certificate: www.skiff.com

Leaf certificate

skiff.com
Issuer: Let's Encrypt
Not Before: 02 Aug 2023 06:42:00 UTC
Not After: 31 Oct 2023 06:41:59 UTC (expires in 1 month 2 days)
Key: RSA 2048 bits
Signature: SHA256withRSA
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	a10ce47b9cfc627cd0124f61e53d867e1f05b8a2
Serial	3fc4ab18ac6bd40f3d0cf461a6bf229dddf
Not Before	02 Aug 2023 06:42:00 UTC
Not After	31 Oct 2023 06:41:59 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:00 UTC \| Let's Encrypt 'Oak2023' log \| Qualified 02 Aug 2023 07:42:00 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified
Fingerprints
SHA1	a347786d73ce2804f8edcc3226f25704e06f0a91
SHA256	f9798074acd137b7dcafa4b2a57f5be17eef4603f4bc4f2214ea8143949dfaf8
SPKI SHA256	6d2b8f667e54feb0055f4a78347105e26c64b8a87523a628f12d04ecb87625eb

Analysis

Strong private key

Good. The private key associated with this certificate is secure.

Strong signature algorithm

Good. This certificate uses a strong signature algorithm.

Certificate matches hostname

Good. The provided certificate matches the expected hostnames.

Certificate dates match

Good. The certificate is valid for use at this point of time.

Certificate has not been revoked

Good. This certificate has not been revoked.

Certificate satisfies Apple's CT compliance requirements

Good. This certificate satisfies Apple's CT requirements at present.

Certificate Trust

Platform	Trusted
Apple
Google AOSP
Microsoft
Mozilla

Certificate Chain

Leaf certificate

skiff.com | f979807
Not After: 31 Oct 2023 06:41:59 UTC (expires in 1 month 2 days)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Names	.api.skiff.com .app.skiff.com *.skiff.com skiff.com
Subject DN	CN=skiff.com
Subject Key Identifier	a10ce47b9cfc627cd0124f61e53d867e1f05b8a2
Serial	3fc4ab18ac6bd40f3d0cf461a6bf229dddf
Not Before	02 Aug 2023 06:42:00 UTC
Not After	31 Oct 2023 06:41:59 UTC
Validity period	90 days
Key Usage	digitalSignature, keyEncipherment
Extended Key Usage	serverAuth, clientAuth
Must Staple	No
Issuer
Issuer DN	CN=R3, O=Let's Encrypt, C=US
Certification Authority	Let's Encrypt
Validation Type	Domain Validation (DV)
Authority Key Identifier	keyid:142eb317b75856cbae500940e61faf9d8b14c2c6
Parent Certificate	http://r3.i.lencr.org/
OCSP	http://r3.o.lencr.org
Certificate Transparency
Signed Certificate Timestamps	02 Aug 2023 07:42:00 UTC \| Let's Encrypt 'Oak2023' log \| Qualified 02 Aug 2023 07:42:00 UTC \| Cloudflare 'Nimbus2023' Log \| Qualified
Fingerprints
SHA1	a347786d73ce2804f8edcc3226f25704e06f0a91
SHA256	f9798074acd137b7dcafa4b2a57f5be17eef4603f4bc4f2214ea8143949dfaf8
SPKI SHA256	6d2b8f667e54feb0055f4a78347105e26c64b8a87523a628f12d04ecb87625eb

Intermediate certificate

R3 | 67add11
Not After: 15 Sep 2025 16:00:00 UTC (expires in 1 year 11 months)
Authentication: RSA 2048 bits (SHA256withRSA)
View details

Subject DN	CN=R3, O=Let's Encrypt, C=US
Subject Key Identifier	142eb317b75856cbae500940e61faf9d8b14c2c6
Serial	912b084acf0c18a753f6d62e25a75f5a
Not Before	04 Sep 2020 00:00:00 UTC
Not After	15 Sep 2025 16:00:00 UTC
Validity period	1838 days
Key Usage	digitalSignature, keyCertSign, cRLSign
Extended Key Usage	clientAuth, serverAuth
Issuer
Issuer DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Certification Authority	Let's Encrypt
Validation Type	Not Applicable
Authority Key Identifier	keyid:79b459e67bb6e5e40173800888c81a58f6e99b6e
Parent Certificate	http://x1.i.lencr.org/
CRL	http://x1.c.lencr.org/
CA certificate	Yes (pathlen 0)
Fingerprints
SHA1	a053375bfe84e8b748782c7cee15827a6af5a405
SHA256	67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
SPKI SHA256	8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d

Intermediate certificate

ISRG Root X1 | 6d99fb2
Not After: 30 Sep 2024 18:14:03 UTC (expires in 1 year 1 day)
Authentication: RSA 4096 bits (SHA256withRSA)
View details

Subject DN	CN=ISRG Root X1, O=Internet Security Research Group, C=US
Subject Key Identifier	79b459e67bb6e5e40173800888c81a58f6e99b6e
Serial	4001772137d4e942b8ee76aa3c640ab7
Not Before	20 Jan 2021 19:14:03 UTC
Not After	30 Sep 2024 18:14:03 UTC
Validity period	1349 days
Key Usage	keyCertSign, cRLSign
Issuer
Issuer DN	CN=DST Root CA X3, O=Digital Signature Trust Co.
Certification Authority	IdenTrust Services, LLC
Validation Type	Not Applicable
Authority Key Identifier	keyid:c4a7b1a47b2c71fadbe14b9075ffc41560858910
Parent Certificate	http://apps.identrust.com/roots/dstrootcax3.p7c
CRL	http://crl.identrust.com/DSTROOTCAX3CRL.crl
CA certificate	Yes (pathlen unlimited)
Fingerprints
SHA1	933c6ddee95c9c41a40f9f50493d82be03ad87bf
SHA256	6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
SPKI SHA256	0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3

Root certificate