Mon

Jun 9
2008

Jesse Robbins

Jesse Robbins

TLS Report grades and reports on site security

My friend Ben Black just released TLS Report, a free (ad-supported) tool that evaluates SSL/TLS configurations across websites and assigns letter grades. In the example below, Facebook gets a D because it accepts several keys that are below 128-bits and relies on MD5:
facebook-tlsreport

Ben explains: Cryptography is arcane and complex. Cryptography is also the basis for the various protocols that secure online commerce, ensure privacy of communication, and provide for integrity of data. Transport Layer Security (TLS), formerly SSL, is the de-facto standard for secure communication on the web, and it, naturally, relies on some rather sophisticated cryptographic techniques. Properly implemented, TLS all but guarantees the security of the communication channel.

It's that properly implemented part that catches folks out. Whether from poor defaults in software, poor understanding of best practices, or a weak grasp on the various trade-offs between security and performance, TLS, as most often deployed on the web, is in a sorry state. We hope to change that.

The tls report delivers the tools, information, and visibility to reveal problems in TLS configurations and offer better alternatives so folks can improve their security posture and make sure it stays improved. Everybody wins.

Ben has received a few early complaints from sites getting low grades. This seems to be common with most new rating systems, and I think the discussion is often more important than the scores themselves. You can check out the top/bottom 20 sites, search, and add new ones to be included in the report.


 
Previous  |  Next

0 TrackBacks

TrackBack URL for this entry: http://blogs.oreilly.com/cgi-bin/mt/mt-t.cgi/6540

Comments: 7

  Atul [06.09.08 11:37 PM]

Tried Google.com. It gets a D too.

  Benjamin Black [06.10.08 08:11 AM]

You want to use the name in the certificate, shown in the first line of the certificate section. In this case, www.google.com.


Ben

  Michael Groh [06.10.08 10:41 AM]

I love the site but I couldn't figure out how to refresh the report for a site. I was hoping for some instant gratification after fixing a couple of sites.

  Benjamin Black [06.10.08 01:27 PM]

Good feedback, Michael. I've disabled all the registered user features for now while I figure out the right offering there. On-demand collection exists, but is not accessible currently.

That said, the system automatically refreshes sites about once every 24 hours.


Ben

  Benjamin Black [06.10.08 05:47 PM]

In case folks haven't noticed it, each report sports an RSS feed. You can subscribe to receive notification of config changes, for example when a certificate expires.


Ben

  Tim Dierks [07.09.08 06:23 PM]

This misses the point: key length is almost irrelevant to consumer security. I wrote a whole rant on this at my (linked) blog post, but suffice it to say that there have been thousands or millions of security problems due to various forms of site insecurity, phishing, and other problems, but I've never heard of an SSL key being cracked maliciously.

  J Bofh [05.21.09 06:29 PM]

When is this site coming back? Haven't seen anything new for months.

Post A Comment:

 (please be patient, comments may take awhile to post)






Type the characters you see in the picture above.

RECOMMENDED FOR YOU

RECENT COMMENTS