[WEB SECURITY] Announcing the SSL Rating Guide and the Public SSL Server Database

Sun Jul 26 09:11:30 EDT 2009

On Fri, Jul 24, 2009 at 4:58 PM, Bil Corry<bil at corry.biz> wrote:
> Ivan Ristic wrote on 7/24/2009 4:41 AM:
>> Although it is still nominally a draft, it's complete as far as I am
>> concerned. I would appreciate if you sent me some feedback (positive
>> and negative), after which I will be able to declare this edition
>> (2009) done.
>
> You should add that MD5 must not be used for the Certificate Signature Algorithm and consider scoring the site as 0 if used:

I agree that the use of MD5 should be discouraged, but I think forcing
a zero score would be an overkill. I am considering changing the way
certificate is done now (it's either 0 or 100) to include factors such
as signatures, validation type (e.g. EV certificates should be given a
higher score), etc.

> -----
> Do not use the MD5 algorithm
> Software developers, Certification Authorities, website owners, and users should avoid using the MD5 algorithm in any capacity. As previous research has demonstrated, it should be considered cryptographically broken and unsuitable for further use.
>
> http://www.kb.cert.org/vuls/id/836068
> -----
>
>
>> I have also released my online service that tracks public SSL servers:
>>
>>     https://www.ssllabs.com/ssldb/
>
> Your online service looks very handy to help educate site owners.  You may wish to consider allowing alternate ports be specified and possibly allow an opt-out option from being shown in the recent results -- or maybe that's the idea of tracking only public SSL servers?

I'd like to think of the assessment service as a public service. It's
only fair for the results to be public too.

> Finally, one small nit, it asks for the "Domain name" but I think you're really asking for the "Host name".

I am not sure what you mean exactly, but I think the term "domain
name" is suitable. There are only subtle differences between domain
names and host names anyway. In the case of SSL servers, since
multiple domain names can map to a single host name, I think it's more
accurate to use the former. The term will make even more sense once
server name indications enters widespread use.

Also, I list the host name near the end of the assessment page.

> - Bil
>
>

-- 
Ivan Ristic

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA