SSL Labs Grading Redesign (Preview 1)

Ivan Ristic
Ivan Ristic
- 2 min read

Last updated on: October 21, 2021

We’re excited to share with you the first preview of our next-generation grading. This is something that’s long overdue but, due to lack of available time, we managed to keep up patching the first-generation grading to keep up with the times. Now, finally, we’re taking the next necessary steps to modernise how we grade servers based on our assessments.

Grading Redesign Goals

Before I show you the new version of the grading, I’d like to explain what we’re set out to achieve:

  • Cleanup. SSL Labs grading was initially designed around numerical scores in various categories. That approached worked for a period of time, back in the day when most cryptographic elements appeared to be relatively secure. This system is still employed at the core, but it’s now largely obsolete and complicates the work.
  • Simplification and assessment decoupling. Our new goal is make it easier to understand how grading is done and, perhaps more importantly, enable others to replicate our results. In other words, we wish to decouple the grading logic from our assessment implementation.
  • Meaningful grades. Although the A-F grading we have in place works great, we’re not making full use of the entire grade range. Additionally, the grades don’t have defined meanings, making it more difficult to keep the grading approach consistent over a period of time.
  • Even better security. Finally, we wish the next major update to further push security forward by requiring better security. This is something we’ve been doing regularly over the years, and this time is not going to be an exception.

Preview 1 Reveal

Without further ado, we’re releasing a Preview:

The focus on this release is on the grading algorithm concept (i.e., the way how rules are defined, specified, and processed). Although the rules themselves resemble what will actually be the next-generation criteria, they haven’t been fully tuned. In fact, our next step will be to specify the grading storage formats and build a proof-of-concept tool to compare the current grades and the future version. We intend to use this tool to refine the grades over the following months.

If it’s the criteria only that you’re interested in, please refer to my earlier blog post on this topic.

Show Comments (6)

Comments

Your email address will not be published. Required fields are marked *

  1. I notice SSL Labs no longer highlights ChaCha20 suites when preferred on non-AESNI-accelerated platforms.
    Is this a bug, or is that behavior not really used by clients anymore?

    Reply to William

    1. Can you share a link to a site where you expect a highlight for ChaCha20? AFAIK, SSL Labs didn’t make any changes in this area. Also, I’ve noticed recently that some of the site operators prefer ChaCha20 in a way that makes it difficult to test. That’s because they make their decisions based on a few known devices, not in a general sense (i.e., based on the order of offered cipher suites and so on).

      Reply to Ivan

      1. Sorry for the late reply. Sites that I had seen highlighted ChaCha20 have been most Google domains and any website proxies through Cloudflare. Both those services have been configured to prefer ChaCha20 suites on systems that do not have a CPU with AES-NI acceleration.

        Reply to William

        1. I don’t think anything has changed on the SSL Labs side. Having spent some time recently at how Cloudflare select their suites, I think it’s more likely that they had changed their selection logic into something where ChaCha20 preference can’t be detected in a straightforward fashion.

          Reply to Ivan

          1. Sorry for the late reply, but here are my findings on 8/19/17:
            I just tested a Cloudflare Enterprise customer (I assume they are Enterprise because they use custom nameservers) and the ChaCha20 highliting works. They happen to have TLS 1.3 Draft 18 disabled.

            I tested what used to be a free customer (now turns out they are Business or Enterprise due to the certificate only holding the Cloudflare SSL and one domain). They have TLS 1.3 Draft 18 enabled, and the highlighting is not working.

            Perhaps there is a conflict between the TLS 1.3 Draft 18 scanner and the detection of ChaCha20 preference on TLS 1.2?

  2. Hi, I noticed some sites redirect HTTPS to HTTP, and currently still get a A grade. There should also be a rule to penalize that practice to F/T.
    Thanks.

    Reply to Fabio