Thoughts on Talk Talk SSL
I have been watching the talk talk cyber attack developments in the news. One thing that surprised me that in an article by The Register a reference to a tool from High-Tech Bridge which measures TLS certificates against NIST Special Publication 800-52 was made. What baffles me is how at the time of writing Talk Talk got an A for there certificate yet its not SHA2. This seems some what non sensical. Especially as PCI DSS 3.1 permits TLS1.2 and later only for compliance (although companies have until July 30th 2016 to comply). and perhaps more importantly SHA1 certificates are being phased out.
With this in mind the tool should better split out the differing requirements and grade accordingly in my opinion.