[bradknowles]

At least some of the queries for this domain name are coming back pointed to 35.189.102.199 (199.102.189.35.bc.googleusercontent.com), which seems to be okay on the SSL certificate (see https://www.ssllabs.com/ssltest/analyze.html?d=got-it.com ) even though they offer TLS 1.1 in addition to TLS 1.2.

However, other DNS queries get pointed to 146.112.61.106 (hit-adult.opendns.com), and according to testssl.sh offers only TLS 1.2, but doesn't have server cipher order, and has an incomplete chain of trust.

The latter IP address also seems to be vulnerable to Secure Client-Initiated Renegotiation, and BEAST (CVE-2011-3389), and maybe LUCKY13 (CVE-2013-0169).

[davidlstanton]

Thanks very much for bringing this up and looking into it for us. We're on it now!

[davidlstanton]

I've manually flushed open dns and dig is now only reporting 35.189.102.199 any chance it's now working for you?

[6wfu5c1ci1lm8]

Nope. Still borked on OpenDNS.

[davidlstanton]

Looks like it's been content blocked with Open DNS on their family friendly DNS servers. I've submitted a request for it to be categorised. Previous experience is that this takes a few days.

[davidlstanton]

Cries... I'll dig deeper into this tomorrow. Cheers for sharing.