Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL

An anonymous reader writes: Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity. While SSL Labs was something Ristic worked on in his spare time, over time it became his main focus. In fact, over the years, the project incorporated a great number of checks that are impossible to perform manually. It's a game changer because, to assess your TLS configuration, you don't need to be an expert. Read the story about the project's evolution on Help Net Security.

Bulletproof SSL and TLS, get it, read it, live it

[ageoffri]

I can't recommend the book Ivan wrote on SSL and TLS. Bulletproof SSL and TLS gives a very good overview of how SSL and TLS operate, explains some of the attacks used against SSL/TLS, and gives some information on how to configure TLS.

I also find SSL labs to be a great tool to evaluate web sites of vendors and company hosted sites.

Re:Bulletproof SSL and TLS, get it, read it, live

[beernutz]

Do you mean that you can't recommend it ENOUGH? I know these kind of corrections can seem pedantic, but the omission of a word in this case completely changes the meaning.

Re: Bulletproof SSL and TLS, get it, read it, live

[Anonymous Coward]

No it does.

Re:

[arglebargle_xiv]

A kiwi is a creature that eats roots and leaves.

Re:

[BoogieChile]

The hairy nosed wombat is a creature that eats roots shoots and leaves

Re:

[Jack Griffin]

Shhh... don't tell anyone about SSL Labs. I know next to nothing about security but am now the security expert thanks to this site.
I can test a site, come back and throw around some security jargon about why the site isn't secure, "Oh your cipher suites appear to be incompatible, and your hashing algorithm is out of date" and customers throw money at me to fix it.
I don't even know what half of that stuff means, but if more people know about it, I'll be forced to find real work...

Re:

[KGIII]

It's okay. The only thing I know about ModSecurity is that I should enable it when I bang out bad PHP.

Re:

[grep -v '.*' *]

I agree. And punctuation can be somewhat important as well. For example:

Let's eat, grandma.
Let's eat grandma.

Re:

[ageoffri]

Yeah, simple typo that no one can fix in the year 2015. The book is excellent.

Several big websites get poor grades

[jonwil]

Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?
YouTube (another Google asset) also gets a similarly poor grade.

In fact every Google-owned domain I tested ALL get the B grade. Does Google not have any people on staff who understand SSL security?

Re:

[chill]

If you click on one of the reported IP addresses it tells you what the issues are. In Google's case it is still accepting SSL v3 and a couple of certificates signed with SHA1.

Re:Several big websites get poor grades

[watermark]

IE6 and some other older OSes don't support the new stuff (tm). The very fact that they even support the old stuff (tm) gives them a lower rating. They are a company that profits on Everyone being able to access the site, which unfortunately, somewhat compromises the security of everyone else.

Re:

[operagost]

If I'm running a website, I don't care if some fool running a 10 year old browser can't hit my site. I might not even want him to.

Re:

[arglebargle_xiv]

Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?

The test is somewhat subjective. For example when I checked at one point if you used triple DES, a strong, unbroken cipher, you got marked down, but if you bought your cert from a CA that's been caught issuing fake certs, was pwned by (allegedly) Iranian hackers, or is run by the Chinese military, you were regarded as OK. The site provides a good service overall, but some of the criteria it applies are pretty subjective.

Re:

[ageoffri]

It is all about risk management. SSL Labs takes a very pessimistic view on the technical implementation of SSL/TLS. Many times the risk when you have a score of B, doesn't justify the expense of making changes to get an A.

Re:

[Morris von Habsburg]

It's not about what average user of SSL Labs understands about it. That's why it uses just a couple of letter grades to communicate an overview of the findings. The most important part is that ordinary users can go to their hoster or a website owner and ask them why their site gets a 'D'. The people who run those web servers will know more about the detailed findings of SSL Labs and implement them accordingly.

A personal example. I know a thing or two about SSL/TLS but some things on the SSL Labs results pag

wait a sec

[iggymanz]

does this wonder stuff use that openssl crap if run on posix systems?

Trivia about the early days of SSL Labs

[yuhong]

Even though it existed at this time, even SSL Labs did not bother with TLS 1.1/1.2 in the early days! SSL Labs also choked on anything stronger than 1024-bit DHE due to the use of JSSE. Of course both of these problems has been long fixed.