From the SSL/TLS perspective, 2014 was quite an eventful year. The best way to describe what we at SSL Labs did is we kept running to stay in the same place. What I mean by this is that we spent a lot of time reacting to high profile vulnerabilities: Heartbleed, the ChangeCipherSpec protocol issue in OpenSSL, POODLE (against SSL 3 in October and against TLS in December), and others. Ultimately, this has been a very successful year for us, with millions of assessments carried out.
We have just deployed what is principally our last update for 2014, bringing several improvements and refinements:
- We made a series of improvements to our grading criteria, to keep up with recent discoveries and continue to nudge site operators to improve their configurations:
- Servers that support SSL 3 are now capped at B (C if vulnerable to POODLE).
- Grade F given to servers that support only SSL 3.
- Servers that support RC4 are capped at B.
- Incomplete certificate chains capped at B.
- A+ servers are now expected to support TLS_FALLBACK_SCSV and have a SHA2 certificate chain.
- The Client Capabilities test has been extended to test client support for all protocol versions, from the first SSL 2 until the most recent TLS 1.2. There have been many improvements to handle various edge cases.
- Our SSL/TLS Deployment Best Practices guide has been fully updated.
- SSL Labs APIs and our open source client tool for automated bulk testing have become available for early access. We are very excited about our making our APIs publicly available and hope that this will make it easier for system administrators to keep an eye on their systems.
- There have been many small improvements throughout, thanks for the attention to detail of the members of our growing SSL Labs community.
According to SSL Pulse, before these changes we had about 24% secure servers. Now, the latest results (not yet released, but will be soon) show that number drop down to 11%. This shows that others, too, have to “run” in the same way that we do.
Naturally, we have many plans for 2015, but we’ll talk about them in a couple of weeks. In the meantime, I hope that you will enjoy the SSL Labs updates.