[WEB SECURITY] Announcing the SSL Rating Guide and the Public SSL Server Database

Bil Corry bil at corry.biz
Fri Jul 24 11:58:10 EDT 2009


Ivan Ristic wrote on 7/24/2009 4:41 AM: 
> Although it is still nominally a draft, it's complete as far as I am
> concerned. I would appreciate if you sent me some feedback (positive
> and negative), after which I will be able to declare this edition
> (2009) done.

You should add that MD5 must not be used for the Certificate Signature Algorithm and consider scoring the site as 0 if used:

-----
Do not use the MD5 algorithm
Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.

http://www.kb.cert.org/vuls/id/836068
-----


> I have also released my online service that tracks public SSL servers:
> 
>     https://www.ssllabs.com/ssldb/

Your online service looks very handy to help educate site owners.  You may wish to consider allowing alternate ports be specified and possibly allow an opt-out option from being shown in the recent results -- or maybe that's the idea of tracking only public SSL servers?  Finally, one small nit, it asks for the "Domain name" but I think you're really asking for the "Host name".


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list