TLS/SSL Configuration findings are based on a Host:Port or IP:Port pair.
- If an IP is part of a company’s infrastructure, IP-based findings are attributed to them.
- For websites hosted on Content Delivery Networks (CDN), only domain-based findings are attributed.
- If both IP and domain are within a company infrastructure, two separate findings are assigned to the same company (e.g., moving from a self-hosted website to a service provider-hosted website), ensuring the finding information is consistent even if a domain’s destination IP changes.
Findings that are based on domains (rather than IP) and are part of a service provider’s infrastructure are graded and are weighted the same as owned infrastructure. Learn more about Shared Responsibility with Cloud Service Providers.
These considerations ensure:
- The remediation of a misconfigured TLS/SSL record immediately takes effect upon a rescan. The exclusion of IP addresses from the evidence key prevents the duplication of records in situations where the IP addresses are dynamic (CDN).
- TLS/SSL Configurations observed on service providers for IP-based scans are not graded.
- TLS/SSL Configuration records are not attributed based on certificate subject names.
A record is included in a company’s report if either of the following is true:
- It is a host-based scan and the hostname belongs to the company.
- It is on an IP address that belongs to the company.
TLS/SSL Configuration findings are handled in the following manner:
| Scan Type | Description |
|---|---|
| IP |
|
| Hostname | Service Provider-Hosted Domains: Findings where the hostnames belong to a company, but are part of a service provider’s infrastructure, are graded and weighted the same as company-owned TLS/SSL Configurations findings (as if it were part of the company’s infrastructure). |
- October 31, 2025: Removed outdated icons, (†) dagger symbol.
- August 8, 2022: Clarification on domain and IP differences.
- February 24, 2020: Published.
Feedback
0 comments
Please sign in to leave a comment.