My friend Ben Black just released TLS Report, a free (ad-supported) tool that evaluates SSL/TLS configurations across websites and assigns letter grades. In the example below, Facebook gets a D because it accepts several keys that are below 128-bits and relies on MD5:
Ben explains: Cryptography is arcane and complex. Cryptography is also the basis for the various protocols that secure online commerce, ensure privacy of communication, and provide for integrity of data. Transport Layer Security (TLS), formerly SSL, is the de-facto standard for secure communication on the web, and it, naturally, relies on some rather sophisticated cryptographic techniques. Properly implemented, TLS all but guarantees the security of the communication channel.
It’s that properly implemented part that catches folks out. Whether from poor defaults in software, poor understanding of best practices, or a weak grasp on the various trade-offs between security and performance, TLS, as most often deployed on the web, is in a sorry state. We hope to change that.
The tls report delivers the tools, information, and visibility to reveal problems in TLS configurations and offer better alternatives so folks can improve their security posture and make sure it stays improved. Everybody wins.
Ben has received a few early complaints from sites getting low grades. This seems to be common with most new rating systems, and I think the discussion is often more important than the scores themselves. You can check out the top/bottom 20 sites, search, and add new ones to be included in the report.