TLS Report grades and reports on site security

My friend Ben Black just released TLS Report, a free (ad-supported) tool that evaluates SSL/TLS configurations across websites and assigns letter grades. In the example below, Facebook gets a D because it accepts several keys that are below 128-bits and relies on MD5:
facebook-tlsreport

Ben explains: Cryptography is arcane and complex. Cryptography is also the basis for the various protocols that secure online commerce, ensure privacy of communication, and provide for integrity of data. Transport Layer Security (TLS), formerly SSL, is the de-facto standard for secure communication on the web, and it, naturally, relies on some rather sophisticated cryptographic techniques. Properly implemented, TLS all but guarantees the security of the communication channel.

It’s that properly implemented part that catches folks out. Whether from poor defaults in software, poor understanding of best practices, or a weak grasp on the various trade-offs between security and performance, TLS, as most often deployed on the web, is in a sorry state. We hope to change that.

The tls report delivers the tools, information, and visibility to reveal problems in TLS configurations and offer better alternatives so folks can improve their security posture and make sure it stays improved. Everybody wins.

Ben has received a few early complaints from sites getting low grades. This seems to be common with most new rating systems, and I think the discussion is often more important than the scores themselves. You can check out the top/bottom 20 sites, search, and add new ones to be included in the report.

tags: , , , , , ,
  • Atul

    Tried Google.com. It gets a D too.

  • http://tlsreport.layer8.net Benjamin Black

    You want to use the name in the certificate, shown in the first line of the certificate section. In this case, http://www.google.com.

    Ben

  • http://www.mikegroh.net Michael Groh

    I love the site but I couldn’t figure out how to refresh the report for a site. I was hoping for some instant gratification after fixing a couple of sites.

  • http://tlsreport.layer8.net Benjamin Black

    Good feedback, Michael. I’ve disabled all the registered user features for now while I figure out the right offering there. On-demand collection exists, but is not accessible currently.

    That said, the system automatically refreshes sites about once every 24 hours.

    Ben

  • http://tlsreport.layer8.net Benjamin Black

    In case folks haven’t noticed it, each report sports an RSS feed. You can subscribe to receive notification of config changes, for example when a certificate expires.

    Ben

  • http://tim.dierks.org/2008/07/missing-point.html Tim Dierks

    This misses the point: key length is almost irrelevant to consumer security. I wrote a whole rant on this at my (linked) blog post, but suffice it to say that there have been thousands or millions of security problems due to various forms of site insecurity, phishing, and other problems, but I’ve never heard of an SSL key being cracked maliciously.

  • http://leatherdonut.com/ J Bofh

    When is this site coming back? Haven’t seen anything new for months.

  • Peter

    It seems that TLS Report is no longer in operation, but there’s another site, called SSL Labs, that does the same thing: https://www.ssllabs.com/ssldb/.

  • Mario

    It seems that there is not much to worry about, even with a D rating. It is not a lack of security software that makes Facebook a risky place, it is the fact that malware spreads through the messaging service. I think Facebook gets enough bad press without being issued a D here on the report that really does not mean much in terms of end users and their security levels