Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL 25

An anonymous reader writes: Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity. While SSL Labs was something Ristic worked on in his spare time, over time it became his main focus. In fact, over the years, the project incorporated a great number of checks that are impossible to perform manually. It's a game changer because, to assess your TLS configuration, you don't need to be an expert. Read the story about the project's evolution on Help Net Security.
This discussion has been archived. No new comments can be posted.

Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL

Comments Filter:
  • I can't recommend the book Ivan wrote on SSL and TLS. Bulletproof SSL and TLS gives a very good overview of how SSL and TLS operate, explains some of the attacks used against SSL/TLS, and gives some information on how to configure TLS.

    I also find SSL labs to be a great tool to evaluate web sites of vendors and company hosted sites.

  • Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?
    YouTube (another Google asset) also gets a similarly poor grade.

    In fact every Google-owned domain I tested ALL get the B grade. Does Google not have any people on staff who understand SSL security?

    • by chill ( 34294 )

      If you click on one of the reported IP addresses it tells you what the issues are. In Google's case it is still accepting SSL v3 and a couple of certificates signed with SHA1.

    • by watermark ( 913726 ) on Wednesday November 11, 2015 @07:58PM (#50911929)

      IE6 and some other older OSes don't support the new stuff (tm). The very fact that they even support the old stuff (tm) gives them a lower rating. They are a company that profits on Everyone being able to access the site, which unfortunately, somewhat compromises the security of everyone else.

      • If I'm running a website, I don't care if some fool running a 10 year old browser can't hit my site. I might not even want him to.
    • Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?

      The test is somewhat subjective. For example when I checked at one point if you used triple DES, a strong, unbroken cipher, you got marked down, but if you bought your cert from a CA that's been caught issuing fake certs, was pwned by (allegedly) Iranian hackers, or is run by the Chinese military, you were regarded as OK. The site provides a good service overall, but some of the criteria it applies are pretty subjective.

    • It is all about risk management. SSL Labs takes a very pessimistic view on the technical implementation of SSL/TLS. Many times the risk when you have a score of B, doesn't justify the expense of making changes to get an A.
  • does this wonder stuff use that openssl crap if run on posix systems?

  • Even though it existed at this time, even SSL Labs did not bother with TLS 1.1/1.2 in the early days! SSL Labs also choked on anything stronger than 1024-bit DHE due to the use of JSSE. Of course both of these problems has been long fixed.

Unix soit qui mal y pense [Unix to him who evil thinks?]

Working...