Appendix B - Endpoint Details with Description

This appendix lists the fields present in the response of the List Endpoints API, along with a description.

Field	Description
vulnBeast	True if the endpoint is vulnerable to the BEAST attack
renegSupport	Integer value to describe the endpoint support for renegotiation bit 0 (1) - set if insecure client-initiated renegotiation is supported bit 1 (2) - set if secure renegotiation is supported bit 2 (4) - set if secure client-initiated renegotiation is supported bit 3 (8) - set if the server requires secure renegotiation support
compressionMethods	Integer value to describe supported compression methods bit 0 is set for DEFLATE
supportsRc4	True if the server supports at least one RC4 suite
rc4WithModern	True if RC4 is used with modern clients
rc4Only	True if only RC4 suites are supported
forwardSecrecy	Integer value to describe support for Forward Secrecy bit 0 (1) - set if at least one browser from our simulations negotiated a Forward Secrecy suite bit 1 (2) - set based on Simulator results if FS is achieved with modern clients. For example, the server supports ECDHE suites, but not DHE bit 2 (4) - set if all simulated clients achieve FS. In other words, this requires an ECDHE + DHE combination to be supported
supportsAead	True if the server supports at least one AEAD suite
protocolIntolerance	Integer value to indicate protocol version intolerance issues: bit 0 (1) - TLS 1.0 bit 1 (2) - TLS 1.1 bit 2 (4) - TLS 1.2 bit 3 (8) - TLS 1.3 bit 4 (16) - TLS 1.152 bit 5 (32) - TLS 2.152
heartbleed	True if the server is vulnerable to the Heartbleed attack
heartbeat	True if the server supports the Heartbeat extension
openSslCcs	Indicates result of the CVE-2014-0224 test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - possibly vulnerable, but not exploitable 3 - vulnerable and exploitable
openSSLLuckyMinus20	Indicates result of the CVE-2016-2107 test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable and insecure
ticketbleed	Indicates result of the ticketbleed CVE-2016-9244 test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable and insecure 3 - not vulnerable but a similar bug detected
bleichenbacher	Indicates result of the Return Of Bleichenbacher's Oracle Threat (ROBOT) test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable (weak oracle) 3 - vulnerable (strong oracle) 4 - inconsistent results
poodle	True if the endpoint is vulnerable to POODLE; false otherwise
poodleTls	Indicates result of the POODLE TLS test: -3 - timeout -2 - TLS not supported -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable
fallbackScsv	True if the server supports TLS_FALLBACK_SCSV, false if it doesn't. This field will not be available if the server's support for TLS_FALLBACK_SCSV can not be tested because it supports only one protocol version (e.g., only TLS 1.2).
freak	True if the server is vulnerable to the FREAK attack, meaning it supports 512-bit key exchange.
hasSct	Indicates information about the availability of certificate transparency information (embedded SCTs): bit 0 (1) - SCT in certificate bit 1 (2) - SCT in the stapled OCSP response bit 2 (4) - SCT in the TLS extension (ServerHello)
logjam	True if the server uses DH parameters weaker than 1024 bits
drownVulnerable	True if server vulnerable to the DROWN attack
zombiePoodle	Indicates result of the Zombie POODLE test: -1 - test failed 0 - unknown 1 - not vulnerable 2 - vulnerable 3 - vulnerable and exploitable
goldenDoodle	Indicates result of the GOLDENDOODLE test: -1 - test failed 0 - unknown 1 - not vulnerable 4 - vulnerable 5 - vulnerable and exploitable
supportsCBC	True if the server supports at least one CBC suite
zeroLengthPaddingOracle	Indicates result of the 0-Length Padding Oracle (CVE-2019-1559) test: -1 - test failed 0 - unknown 1 - not vulnerable 6 - vulnerable 7 - vulnerable and exploitable
sleepingPoodle	Indicates result of the Sleeping POODLE test: -1 - test failed 0 - unknown 1 - not vulnerable 10 - vulnerable 11 - vulnerable and exploitable