Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SSL Pulse Project Finds Just 10% of SSL Sites Actually Secure

timothy posted more than 2 years ago | from the decimation-of-another-kind dept.

Encryption 62

Trailrunner7 writes "A new project that was setup to monitor the quality and strength of the SSL implementations on top sites across the Internet found that 75 percent of them are vulnerable to the BEAST SSL attack and that just 10 percent of the sites surveyed should be considered secure. The SSL Pulse project, set up by the Trustworthy Internet Movement, looks at several components of each site's SSL implementation to determine how secure the site actually is. The project looks at how each site is configured, which versions of the TLS and SSL protocols the site supports, whether the site is vulnerable to the BEAST or insecure renegotiation attacks and other factors. The data that the SSL Pulse project has gathered thus far shows that the vast majority of the 200,000 sites the project is surveying need some serious help in fixing their SSL implementations."

cancel ×

62 comments

Sorry! There are no comments related to the filter you selected.

Happy Friday from the Golden Girls! (-1)

Anonymous Coward | more than 2 years ago | (#39829627)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you ever knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Friday from the Golden Girls! (-1, Troll)

Anonymous Coward | more than 2 years ago | (#39830149)

Fuck you A.C. first post. I'm fucking tired of the lame-ass fucking retarded first posts occupying the fucking first line of the fucking conversation. Every fucking time I read these I have a fucking brain hemorrhage over the fucking bullshit stupid-ass retarded statements that retarded fucking retards make.

Re:Happy Friday from the Golden Girls! (2, Funny)

Anonymous Coward | more than 2 years ago | (#39830369)

Butthurt much? [phoenixnewtimes.com]

Re:Happy Friday from the Golden Girls! (-1)

Anonymous Coward | more than 2 years ago | (#39830541)

thank you for feeding the troll

did no one else watch Gremlins? see what happens when you feed them after midnight?

captcha: wetness

Re:Happy Friday from the Golden Girls! (5, Interesting)

denpun (1607487) | more than 2 years ago | (#39830555)

Agreed.

Can we get /. to prevent the first, say 5, post replies from AC?
Let the first 5 or so posts be from registered users only. AC cannot reply to the OP until 5 or so replies to OP by registered users have been made.

5 can be tweaked...to an optimized value 3-5 i'd say.

Maybe this will stop the silly 1st post...from AC.....then again..maybe now we will egt
6th Post crap from ACs...but still better than reading a crappy 1st post.

Re:Happy Friday from the Golden Girls! (0)

twdorris (29395) | more than 2 years ago | (#39830917)

Can we get /. to prevent the first, say 5, post replies from AC?

I like.

Re:Happy Friday from the Golden Girls! (-1)

Anonymous Coward | more than 2 years ago | (#39831049)

How exactly does the name associated with a comment have any impact on the quality of said comment? Oh, that's right, it doesn't have any impact whatsoever.

A good example of this is the comment that I'm replying to. It's stupid, and it advocates a sick form of censorship. Posting it from a registered account didn't stop it from being one of the most idiotic and backward things I've read here in a while.

An alias like "denpun" is no different than "Anonymous Coward". In fact, I can say that I've seen far, far more useful comments from "Anonymous Coward" than I've ever seen from "denpun".

Re:Happy Friday from the Golden Girls! (1)

Zero__Kelvin (151819) | more than 2 years ago | (#39835089)

"In fact, I can say that I've seen far, far more useful comments from "Anonymous Coward" than I've ever seen from "denpun"."

So we can safely conclude that you don't read your own post then ;-)

Re:Happy Friday from the Golden Girls! (0)

Anonymous Coward | more than 2 years ago | (#39831115)

It's always fun when slashdot advocates censorship. Well you and the 3 people who modded you up...

What if theres some article about company X, and the first person to reply is an employee of that company who needs to stay anonymous.

Replace company with government, etc, etc.

Sorry if you guys don't like the trolls, but anonymous coward serves the same important purpose it always has.

Re:Happy Friday from the Golden Girls! (1)

denpun (1607487) | more than 2 years ago | (#39831523)

Agreed, AC has a valid purpose in many cases and yes to the AC who posted earlier about ACs making more useful contributions than I have, both good and BAD. I could say the same for you too. I'm not here to argue and rant off like some others. Its not a pissing contest like some would want it to be.

The intention was not so much to absolutely censor AC, but more to prevent the silly and nonsensical AC posts like First Post silliness.
The ACs are the ones who mostly post the nonsensical/offensive comments. People signed in, generally don't do so. Admittedly, registered users do post nonsense as well, but I'd venture to say less than ACs. I may be wrong.

Anonymity obviously has its benefits, like in the good example you made but it also allows people to use that to do things they normally would not do if they were recognized. I was just trying to suggest a way to reduce nonsense, although I admit that at times nonsense can be fun.

Adding Humor, Satire and intelligent wit is fine....real/proper/fun/witty Trolls.
Nonsensical "Yeah....I got first post" everytime..gets a little silly.

Of course censorship is not generally good...and yes.....I may have not thought of all the reasons AC serves when I made the post. This is /. People are waiting to pounce. ;) Thats fine. Just had good intentions. Wanted /. to be better. Good intentions are not always good enough.

There are pros and cons with everything.
There are Pros like the one you mentioned. ACs do post useful info. I'll give you that.
I guess I will just have to live with the cons of having to deal with silliness, meaningless rants.
Come to think of it...we need to laugh sometimes. ..so yeah...I may have been wrong...in the big scheme of things.
So yeah. Lets the ACs run wild. Let them say what we want. We can mod them the hell down if its crappy content.

Cue next rant/response/pounce/for/against/whatever.

Re:Happy Friday from the Golden Girls! (-1)

Anonymous Coward | more than 2 years ago | (#39831823)

Here's an idea: MAN THE FUCK UP AND IGNORE THEM . Really, it's not difficult to do.

Re:Happy Friday from the Golden Girls! (0)

Anonymous Coward | more than 2 years ago | (#39832343)

First, let me say I have no life. Second, I have a registered account with "Excellent" karma and regularly receive moderation points. Third, I have written probably 100 first posts anonymously, most of them without mentioning first post, and many of them with scores of +5, most of them funny. Why do I do it anonymously rather than start a career as a Slashdot comic? Well, the money's not great in that, plus that's not the public image I want. Also because of how karma works here, where Funny mods don't count but negative ones against Funny mods do, I'd quickly end up in the hole, making my account unusable.

Just to backup what I'm saying, here's a few examples of my posts (which I know I can't verify, but seriously, who would go to this much trouble?

_
Although, for the record, the post I'm most proud of wasn't a first post, but this classic:
Browser Wars Declared Over [slashdot.org]

Re:Happy Friday from the Golden Girls! (0)

Anonymous Coward | more than 2 years ago | (#39831231)

I guess you don't remember the days of the GNAA. Those guys knew how to troll.

Today's bullshit is pretty dainty by comparison. The moderation system does a pretty good job of taking them down, unless you're browsing at -1. GNAA people generally never posted AC and they were way more offensive. Wiki GNAA if you want to see what /. first posts were like circa 2005. (Never go to a GNAA site, they built several browser bombs. I doubt any still work, but I'm not about to test that theory.)

I'm posting AC because this sort of thing belongs below the average user's threshold.

Re:Happy Friday from the Golden Girls! (1)

hcs_$reboot (1536101) | more than 2 years ago | (#39831689)

So if AC can post from post -say- 3, a new trend will flourish on /. "3rd post", i.e. be the first AC to post something. Not sure it'll change much. Moreover, doing so, and even talking about it like we currently do, legitimizes the (poor) AC quest, i.e. get some (weak) recognition from the only posting operation those AC are able to produce (and of course the insulting AC post that will follow this very post).

SSL can be kinda like a weight lifting belt.. (5, Insightful)

rastoboy29 (807168) | more than 2 years ago | (#39829649)

..giving a false sense of security.

For example, I've personally discovered hundreds of servers with compromised PHP scripts that worked merrily along via HTTPS, looking very secure.  Unfortunately, attackers can attack a poorly written script over HTTPS exactly as easily as via HTTP, compromise it, and steal information (or whatever) just fine.

SSL just encrypts the channel. (5, Insightful)

khasim (1285) | more than 2 years ago | (#39829691)

SSL just encrypts the channel.
SSL does not fix anything else.
How could it?

Crap code on a website is still crap code on a website whether you have an encrypted channel or clear text channel.

Re:SSL just encrypts the channel. (5, Funny)

Mysteray (713473) | more than 2 years ago | (#39829711)

But at least the attacker's data is secure in transit.

Re:SSL just encrypts the channel. (5, Insightful)

Lennie (16154) | more than 2 years ago | (#39830711)

Which is perfect, it prevents a Network Intrusion Detection System from preventing the attack. ;-)

Re:SSL just encrypts the channel. (1)

Anonymous Coward | more than 2 years ago | (#39831145)

OR you could do what anyone who actually does SSL at any sort of scale does, and run your IDS between your frontend (load balancers, accelerators, F5s, nginx boxes, whatever) and your actual backend servers that serve the PHP (perl/ruby/fastcgi/whatever) request......

Re:SSL just encrypts the channel. (1)

Anonymous Coward | more than 2 years ago | (#39831203)

Except if the target is using the IPS behind a TLS concentrator.

If the target is big enough to have an IPS, there is a relatively good chance that they've also got a TLS concentrator.

CAPTCHA: "possible"

The internet is a series of pipes! (1)

Zero__Kelvin (151819) | more than 2 years ago | (#39835131)

OK. I guess you don't quite understand how SSL works. Think of SSL as a really long pipe between your house and a water processing plant that nobody can penetrate outside your house and the water processing plant. It doesn't stop the processing plant from detecting if the water is bad. It keeps people located outside the water plant from tapping into the pipe and testing the waters quality. In fact they can't even tell if there is water in it.

Re:SSL can be kinda like a weight lifting belt.. (-1)

Anonymous Coward | more than 2 years ago | (#39829697)

> Unfortunately, attackers can attack a poorly written script over HTTPS exactly as easily as via HTTP, compromise it, and steal information (or whatever) just fine.

*ahem*

ITYM infringe-copywritingly.
-Your Friendly Neighbour Slashdrone

Not copyright either (1)

tepples (727027) | more than 2 years ago | (#39831261)

The sort of "stealing" here isn't related to copyright as much as to credentials, which are more like trade secrets and in a way even like trademarks in that they assert that something has been produced by a particular party.

JS injection, SSL is the least of your problems (3, Interesting)

Anonymous Coward | more than 2 years ago | (#39829661)

If you can inject JS into a secure site, BEAST is the least of your concerns.

This is them trying to gain awarness of an XSS assisted attack.

XSS can be more dangerous than the actual traffic.

They are just checking if servers support backwards complience for older users who would not be able to use SSL othewise.

This is like saying all sites that have custom rules to make older IE play nice are insecure.

No SNI, thats very truth worthy of a study (5, Interesting)

kangsterizer (1698322) | more than 2 years ago | (#39829705)

So I tried my SNI enabled domain, which redirects to a dummy domain if you don't support SNI.

And https://www.ssllabs.com/ssltest [ssllabs.com] doesn't work with the SNI domain, thinking my certificate is invalid.

So a few things:

* It's sponsored by Qualis, I don't see how that's trustworthy. You see that only once you do the actual validation. They're here to make money like any other corporation. Nonprofit stuff? Bitch please.
* It doesn't work with SNI so there's million domains wrongly counted as invalid
* Their cert isn't even an EV cert

Re:No SNI, thats very truth worthy of a study (1)

Qzukk (229616) | more than 2 years ago | (#39830015)

You see that only once you do the actual validation

You mean the "Qualys SSL Labs" site title and logo and (c) Qualys inc wasn't enough to tip you off?

Did anyone ever figure out how the fuck beast worked in the first place? Last I heard it's some javascript that apparently magically appears in the browser and does some stuff which lets a sniffer figure out some of the cookies. If they're running arbitrary code on the server or the client (the PoC used a java bug to violate same-origin [theregister.co.uk] and rather than just submitting the cookie variable to the evil server like everyone else, they ran the exploit to calculate the cookie), then I think block-chaining is the least of everyone's worries.

I'm guessing that it's still worth fixing since whatever the script does, someone may inadvertently do it by hand while a bad guy is watching.

Re:No SNI, thats very truth worthy of a study (3, Insightful)

ivan.ristic (631774) | more than 2 years ago | (#39830407)

It would definitely be nice if the test supported SNI (it will soon), but, in our test, SNI is not very important for public SSL. If you are running a public web site you want people to see it, and, across the global audience, too many people cannot use it, which is why public sites don't use it either. The fact that our test does not support SNI has no effect on SSL Pulse, because it uses the results only from the sites with certificates we could validate.

Re:No SNI, thats very truth worthy of a study (2)

pjt33 (739471) | more than 2 years ago | (#39830477)

If you are running a public web site you want people to see it, and, across the global audience, too many people cannot use it, which is why public sites don't use it either.

Doesn't the same argument explain why many sites still use old versions of SSL?

Re:No SNI, thats very truth worthy of a study (2)

ivan.ristic (631774) | more than 2 years ago | (#39830529)

Yes, to some extent. But it does not explain why about 33% of the servers surveyed support SSL v2.0, which virtually no client wants to use, and which is also insecure. I think it's a combination of 1) using the defaults, 2) not caring, and 3) being afraid that something will break.

Re:No SNI, thats very truth worthy of a study (4, Insightful)

julesh (229690) | more than 2 years ago | (#39831815)

But it does not explain why about 33% of the servers surveyed support SSL v2.0, which virtually no client wants to use, and which is also insecure.

Because, as a server operator, I don't especially care if clients are spoofed. I don't perform any authentication of their identities anyway, so my security doesn't decrease.

If the client wants to use an insecure protocol (or is incorrectly configured to use an insecure protocol in preference to a new one), then that is the client's concern. I'm not going to stop them if they don't want to -- they can turn off SSL2 in their browser options (most modern browsers ship this way anyway) if they care that much. A properly configured browser will use SSL3 or TLS in preference to SSL2 anyway if the server supports it, which mine does, so most people will never notice.

Speaking purely from a commercial standpoint, denying customers access to my services because they are using an out of date or badly configured system makes no sense.

Re:No SNI, thats very truth worthy of a study (1)

tepples (727027) | more than 2 years ago | (#39836909)

denying customers access to my services because they are using an out of date or badly configured system makes no sense

Unless you are in a sector where you can be held responsible when your users' authentication is compromised, such as banking.

Re:No SNI, thats very truth worthy of a study (1)

julesh (229690) | more than 2 years ago | (#39876907)

denying customers access to my services because they are using an out of date or badly configured system makes no sense

Unless you are in a sector where you can be held responsible when your users' authentication is compromised, such as banking.

Yes, which probably account for 1% of all SSL enabled servers, so is statistically insignificant.

No SNI in IE on XP or in Android 2.x (2)

tepples (727027) | more than 2 years ago | (#39831279)

Doesn't the same argument explain why many sites still use old versions of SSL?

Not especially. The vast, vast majority of browsers still in use support SSL 3 or later. The same cannot be said of SNI because a lot of people are still running Internet Explorer for Windows XP or Android Browser for Android 2. I don't think the operator of a public web site can rely on SNI being widely deployed until about 24 months from now, when Internet Explorer for Windows XP leaves extended support.

Re:No SNI in IE on XP or in Android 2.x (1)

Anonymous Coward | more than 2 years ago | (#39831435)

Much longer than that. It's not like millions of pirate copies of XP out there in China, Japan and South Korea [ie6countdown.com] ever get support from MS.
Businesses with legal copies, holding on for dear life to IE6's activeX is probably not as large a number anyway.

CJK users of English sites (1)

tepples (727027) | more than 2 years ago | (#39832855)

Much longer than that. It's not like millions of pirate copies of XP out there in China, Japan and South Korea [running Internet Explorer 6] ever get support from MS.

It's also not like they'd be both 1. interested in primarily English-language or otherwise Latin-alphabet sites and 2. unable to install a competing browser or the Google Chrome Frame browser helper object on their own machine.

Re:No SNI, thats very truth worthy of a study (2)

Lennie (16154) | more than 2 years ago | (#39830721)

Any version of IE and Safari (and very old Chrome) on Windows XP and the Android browser on any Android 2.x do not support SNI.

So that doesn't make SNI very useful on the public Internet right now. :-(

Mixed Content another issue (4, Informative)

gQuigs (913879) | more than 2 years ago | (#39829799)

It's even worse when you consider the sites using mixed content, which passed with flying colors on the analysis. To do a proper test you really need to check every page that uses SSL.

More about mixed content: https://www.eff.org/https-everywhere/deploying-https [eff.org]

Fixing Mixed content is not always so difficult, we replaced image links to use "//" instead of "http://", which allows it to use whatever protocol you are already using. This also works if you still might need to fall back to http:/// [http] for whatever archaic reason (or for us development).

Re:Mixed Content another issue (-1, Offtopic)

philip.paradis (2580427) | more than 2 years ago | (#39830325)

Fixing Mixed content is not always so difficult, we replaced image links to use "//" instead of "http://", which allows it to use whatever protocol you are already using.

Please tell me you meant "/" instead of "//" there, and that you actually understand how URIs are constructed. Specifically, do you understand how protocol indicators work, and the difference between absolute and relative URIs?

On another note, why did you capitalize "content" in the subject line and "mixed" in the comment body?

Protocol-relative URLs (5, Informative)

djtack (545324) | more than 2 years ago | (#39830445)

No, he meant "//". http://paulirish.com/2010/the-protocol-relative-url/ [paulirish.com]

Re:Protocol-relative URLs (1)

philip.paradis (2580427) | more than 2 years ago | (#39830581)

What you're referencing has always been used as, at best, an ugly hack to accommodate mistakes and bad decisions when representing complete documents transmitted over HTTP(S). At worst (and this is how I view it), it simply serves to perpetuate the abysmal practice of serving data via both encrypted and plaintext channels over the network. This is a terrible idea for many reasons, and should be soundly discouraged at every possible turn.

Re:Protocol-relative URLs (3, Informative)

IAmGarethAdams (990037) | more than 2 years ago | (#39831213)

I prefer to think of it as a way of reducing redundancy.

The web page doesn't care whether it's being served over HTTP or HTTPS, that's only an issue for the web server. So, the web server configuration can have all the rules and redirections to enforce a particular policy, and the web page will work any time that gets updated, without having to have every link in every page rewritten.

Re:Protocol-relative URLs (0)

Anonymous Coward | more than 2 years ago | (#39833369)

Why should you be making two different versions of something because of SSL? You should not be sanitizing or separating your web site, it should all be secure and work properly regardless of the transport protocol.

Re:Protocol-relative URLs (1)

philip.paradis (2580427) | more than 2 years ago | (#39830591)

As a postscript to my last reply, I must admit that I love your sig.

Re:Mixed Content another issue (4, Informative)

ivan.ristic (631774) | more than 2 years ago | (#39830381)

It's even worse than that. Many sites do not use SSL (e.g., for authentication), even when they have it properly configured. We actually did a study of how application-layer issues affect SSL. You can find more information here: http://blog.ivanristic.com/2011/08/so-what-really-breaks-ssl.html [ivanristic.com]

What i find particularly amusing.... (1)

Anonymous Coward | more than 2 years ago | (#39829871)

...is the fact that when I open the site that hosts the article, my browser puts a red, diagonal line over the "https" part of the address field, and claims that it contains "resources which are not secure". Sure, it's probably insignificant, but I have to enjoy the irony, given the topic of the article. :)

Re:What i find particularly amusing.... (2)

Lennie (16154) | more than 2 years ago | (#39830743)

And it isn't just because of the ads, it is also their own content. Some jpg's are loaded from the same hostname over http.

Really? (2)

loxosceles (580563) | more than 2 years ago | (#39830097)

Is this testing for the absence of BEAST workarounds which are present in all current respectable ssl libraries?  Or does it just look for sites using TLS 1.0/SSL3 with block mode ciphers?

Re:Really? (3, Informative)

ivan.ristic (631774) | more than 2 years ago | (#39830415)

It just looks for sites negotiating vulnerable cipher suites with SSL v3 or TLS v1.0. BEAST workarounds have to be implemented client-side, and IIRC they are in most/all modern browsers. The issue, however, is that there is still a large number of users still using older browser versions, which are still vulnerable.

It's a metaphor for slashdot (-1, Offtopic)

samjam (256347) | more than 2 years ago | (#39830107)

It's a metaphor for the eternal slashdot argument between religion and science.
We all knew how to be secure with SSL but somehow we never were!

This is why "science" can't replace "religion".

Science is a philosophy (like religion) but practical science is engineering; and it's so hard to get right even when you (think you) know what you are doing; and you still have to have faith to rely on others doing it right.

Religion has at least two sides, managed superstition (which is false religion and not philosophy) and the quest for truth (which is philosophy).

Science seeks truth which can be discovered by the scientific method which can operate on the planes of existence below us which are subject to our manipulation and therefore repeatable.

Religion seeks truth that must be taught and revealed from planes of existence above us, which are not subject to strict scientific method any more than an ant can do an experiment upon the scientist in whose lab it is being studied. (But yet as parents will sometimes make themselves appear subject to the scientific method in order to teach and be understandable to their children, so might God).

One prophet said: "Religion teaches obedience to laws which are important to society but unenforceable." The truth or value of religious teachings is subject to examination and verification through practice, but as it changes the natures of those performing the experiment it is perhaps less scientific even thought it may be satisfying.

The argument is not be between "science" and "religion" in those who seek truth rather than to establish their position or authority.

A scientist that makes an error or deceives is as unhelpful to the novice as a religionist that makes an error or deceives. Both being human, both are likely. Seekers of truth cannot afford to make over generalisations from the behaviour of adherents, or take certainty from probability when looking for a needle in a haystack, and do not confuse the comfort of acclaim with accuracy. There is a difference between being right and being told you are right. To want truth is to accept that you might never be satisfied, but hope anyway. (This can be exchanged for social acceptance at any time).

Those who would manipulate the ignorant can do so under the cloak of science, religion, politics or fear, and so on. We cannot be certain that we will always detect such people immediately, and their natures may change mid-course. To treat all religionists or all scientists as proxies for those who manipulate, is to remain deceived.

Religion and science both require trust in the teacher.

The ultimate teacher in religion is not seen but can be known through the teaching process.
I believe that the ultimate teacher in science is the same person.

I am a Mormon, I am a Christian, and I seek truth

Re:It's a metaphor for slashdot (0)

Anonymous Coward | more than 2 years ago | (#39830125)

Mitt?

Re:It's a metaphor for slashdot (0)

Anonymous Coward | more than 2 years ago | (#39830251)

In what way is SSL a metaphor for all that?

Re:It's a metaphor for slashdot (0)

Anonymous Coward | more than 2 years ago | (#39830279)

Please go back to reddit. Thank you.

jkjj (-1)

Anonymous Coward | more than 2 years ago | (#39830179)

jkhkjhkjhlkh

ha ha ha (0)

Anonymous Coward | more than 2 years ago | (#39830635)

Your connection to threatpost.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page.

The connection uses TLS 1.0.

The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

The connection is not compressed.

ssl 2.0 insecure? (1)

leuk_he (194174) | more than 2 years ago | (#39830891)

"is that a third of the sites still support SSL 2.0, a protocol that is considered insecure."

I hope there is no relation between ssl 2.0 and ssh 2.0, what i use to protect my shell sessions...

Re:ssl 2.0 insecure? (4, Informative)

FrangoAssado (561740) | more than 2 years ago | (#39831003)

SSH doesn't use SSL, it has its own transport layer protocol (which is described in RFC 4253).

(To confuse things a bit, OpenSSH does use OpenSSL, but only the cryptography functions. The SSL part of OpenSSL is completely untouched by OpenSSH).

Self-Selecting - Test Not Valid (0)

Anonymous Coward | more than 2 years ago | (#39831221)

The test is unable (due to really poor Java crypto libraries) to negotiate EDH with secure key sizes (it only goes up to 1024 bit).

This could be skewing the data towards older or outdated implementations/configurations.

Re:Self-Selecting - Test Not Valid (1)

ivan.ristic (631774) | more than 2 years ago | (#39832113)

It's not (skewing the data). In the data set cover by SSL Pulse, only 3 sites failed because of that problem.

Not as useful as it might be (1)

Anonymous Coward | more than 2 years ago | (#39835235)

The Qualys SSL Labs SSL Server Test application seems to be a well written web application and a not-so-well written analysis tool.

I tried it with server names that resolved to multiple IP addresses and the behaviour of the SSL Server Test UI changed and showed that someone had put some thought into how the application should work.

The report itself though leaves something to be desired. The Summary section provides a nice clear way for managers to evaluate their systems and provide targets for improvement. e.g. "Go make all our web sites get an overall rating of A". Unfortunately, there is no clear relationship between the Summary section and the Details section, which is the section that lists things that can be fixed. They look closely aligned, but oddities keep coming up. I've been able to compare two web sites, www.google.org and kcert.com which have the same overall rating but kcert.com has all sorts of problems listed in the details, but www.google.com has none. If my web site scored B in the summary I might well try and fix some of the problems that kcert.com have because they are the high visibility problems in the report, but apparently they count for nothing. On top of that, www.google.org has nothing wrong listed in its detailed report, but it still only scores 85%. Who knows what magic is required for that last 15%?

One easy fix might be to deploy to IPv6. The report doesn't do IPv6 and if you can't be tested, then you can't fail.

Re:Not as useful as it might be (1)

ivan.ristic (631774) | more than 2 years ago | (#39845629)

You are right that the score does not always correspond to the findings. This is because the rating methodology was designed back in 2009, whereas the assessment tool continued to evolve. I need to go back and update the methodology knowing what I know now. As for the score, 85% is a great score. Having a better score is of course, possible, but usually comes at performance cost.

San Jose Electrical (-1)

Anonymous Coward | more than 2 years ago | (#39835439)

This is a real great resource that you're providing and you have away without cost. I adore seeing websites that be aware of the price of providing a quality resource without cost. It’s the previous what circles appears routine. Big information useful info San Jose Electrical [sanjoseelectrical.info]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>