TLS Report grades and reports on site security
My friend Ben Black just released TLS Report, a free (ad-supported) tool that evaluates SSL/TLS configurations across websites and assigns letter grades. In the example below, Facebook gets a D because it accepts several keys that are below 128-bits and relies on MD5:
Ben explains: Cryptography is arcane and complex. Cryptography is also the basis for the various protocols that secure online commerce, ensure privacy of communication, and provide for integrity of data. Transport Layer Security (TLS), formerly SSL, is the de-facto standard for secure communication on the web, and it, naturally, relies on some rather sophisticated cryptographic techniques. Properly implemented, TLS all but guarantees the security of the communication channel.
It's that properly implemented part that catches folks out. Whether from poor defaults in software, poor understanding of best practices, or a weak grasp on the various trade-offs between security and performance, TLS, as most often deployed on the web, is in a sorry state. We hope to change that.
The tls report delivers the tools, information, and visibility to reveal problems in TLS configurations and offer better alternatives so folks can improve their security posture and make sure it stays improved. Everybody wins.
Ben has received a few early complaints from sites getting low grades. This seems to be common with most new rating systems, and I think the discussion is often more important than the scores themselves. You can check out the top/bottom 20 sites, search, and add new ones to be included in the report.
tags: compliance, dss, operations, pci, pcidss, security, ssl, tls, tlsreport, velocity, velocity08, web 2.0, webops
| comments: 7
| Sphere It
submit:
0 TrackBacks
TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6540
Comments: 7
You want to use the name in the certificate, shown in the first line of the certificate section. In this case, www.google.com.
Ben
I love the site but I couldn't figure out how to refresh the report for a site. I was hoping for some instant gratification after fixing a couple of sites.
Good feedback, Michael. I've disabled all the registered user features for now while I figure out the right offering there. On-demand collection exists, but is not accessible currently.
That said, the system automatically refreshes sites about once every 24 hours.
Ben
In case folks haven't noticed it, each report sports an RSS feed. You can subscribe to receive notification of config changes, for example when a certificate expires.
Ben
This misses the point: key length is almost irrelevant to consumer security. I wrote a whole rant on this at my (linked) blog post, but suffice it to say that there have been thousands or millions of security problems due to various forms of site insecurity, phishing, and other problems, but I've never heard of an SSL key being cracked maliciously.
Post A Comment:
STAY CONNECTED
RECENT COMMENTS
- J Bofh on TLS Report grades and reports on site security: When is this site comin...
- Tim Dierks on TLS Report grades and reports on site security: This misses the point: ...
- Benjamin Black on TLS Report grades and reports on site security: In case folks haven't n...
- Benjamin Black on TLS Report grades and reports on site security: Good feedback, Michael....
- Michael Groh on TLS Report grades and reports on site security: I love the site but I c...
- Benjamin Black on TLS Report grades and reports on site security: You want to use the nam...
- Atul on TLS Report grades and reports on site security: Tried Google.com. It ge...
Atul [06.09.08 11:37 PM]
Tried Google.com. It gets a D too.