Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL

Posted by samzenpus on from the man-with-the-plan dept.

An anonymous reader writes: Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity. While SSL Labs was something Ristic worked on in his spare time, over time it became his main focus. In fact, over the years, the project incorporated a great number of checks that are impossible to perform manually. It's a game changer because, to assess your TLS configuration, you don't need to be an expert. Read the story about the project's evolution on Help Net Security.

25 comments

  1. Bulletproof SSL and TLS, get it, read it, live it by ageoffri · · Score: 1, Interesting
    I can't recommend the book Ivan wrote on SSL and TLS. Bulletproof SSL and TLS gives a very good overview of how SSL and TLS operate, explains some of the attacks used against SSL/TLS, and gives some information on how to configure TLS.

    I also find SSL labs to be a great tool to evaluate web sites of vendors and company hosted sites.

    --
    -- Slashdot, making the Left look conservative since 1997.
  2. Re:Bulletproof SSL and TLS, get it, read it, live by beernutz · · Score: 4, Informative

    Do you mean that you can't recommend it ENOUGH? I know these kind of corrections can seem pedantic, but the omission of a word in this case completely changes the meaning.

    --
    (stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
  3. Re: Bulletproof SSL and TLS, get it, read it, live by Anonymous Coward · · Score: 1

    No it does.

  4. Several big websites get poor grades by jonwil · · Score: 1

    Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?
    YouTube (another Google asset) also gets a similarly poor grade.

    In fact every Google-owned domain I tested ALL get the B grade. Does Google not have any people on staff who understand SSL security?

    1. Re:Several big websites get poor grades by chill · · Score: 1

      If you click on one of the reported IP addresses it tells you what the issues are. In Google's case it is still accepting SSL v3 and a couple of certificates signed with SHA1.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Several big websites get poor grades by Anonymous Coward · · Score: 0

      Google does understand SSL security and also that it doesn't directly benefit them. Google's bottom line is more directly influenced by the number of its advertising eyeballs, a significant fraction of which doesn't support anything beyond SSL3 or SHA1. Even in 2015. People run some really ancient shit and if Google wants to make money off 'm, Google cannot fix the problem.

    3. Re:Several big websites get poor grades by watermark · · Score: 4, Informative

      IE6 and some other older OSes don't support the new stuff (tm). The very fact that they even support the old stuff (tm) gives them a lower rating. They are a company that profits on Everyone being able to access the site, which unfortunately, somewhat compromises the security of everyone else.

    4. Re:Several big websites get poor grades by Anonymous Coward · · Score: 0

      Right, that's why this kind of tool to give them terrible grades is important.

      I kinda wish that Firefox would ship by default something that grades the SSL level of the site so that banks and such get a black mark for using low quality crap.

      I know some who are damned lazy bums about updating things. I have some who come running to me after every PCI audit, at which time I tell them they're way behind on their updates and they should have followed our security announcements because we patched the issue they identified long ago.

    5. Re:Several big websites get poor grades by arglebargle_xiv · · Score: 1

      Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?

      The test is somewhat subjective. For example when I checked at one point if you used triple DES, a strong, unbroken cipher, you got marked down, but if you bought your cert from a CA that's been caught issuing fake certs, was pwned by (allegedly) Iranian hackers, or is run by the Chinese military, you were regarded as OK. The site provides a good service overall, but some of the criteria it applies are pretty subjective.

    6. Re:Several big websites get poor grades by Anonymous Coward · · Score: 0

      > I kinda wish that Firefox would ship by default something that grades the SSL level of the site

      Not default, but the Calomel plugin is a great visual feedback for SSL...

    7. Re:Several big websites get poor grades by operagost · · Score: 1

      If I'm running a website, I don't care if some fool running a 10 year old browser can't hit my site. I might not even want him to.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    8. Re:Several big websites get poor grades by ageoffri · · Score: 1

      It is all about risk management. SSL Labs takes a very pessimistic view on the technical implementation of SSL/TLS. Many times the risk when you have a score of B, doesn't justify the expense of making changes to get an A.

      --
      -- Slashdot, making the Left look conservative since 1997.
    9. Re:Several big websites get poor grades by Anonymous Coward · · Score: 0

      I kinda wish that Firefox would ship by default something that grades the SSL level of the site so that banks and such get a black mark for using low quality crap.

      I kinda wish Firefox would let me look at the details of a revoked certificate so I can find out for myself why it's revoked instead of just displaying "Secure Connection Failed. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate)" like it does. Mozilla's taken a leaf out of Microsoft's play book here (IE does the same thing).

      At least Google Chrome will let you see the properties of a broken certificate so you can find the CRL distribution point, download the CRL and use OpenSSL to confirm that yes, in fact, the certificate's serial number really is in the CA's revoked certificate list. Or that you need to go looking in a workstation's revocation lists, or the enterprise's revocation lists. Sheesh!

  5. Re: Bulletproof SSL and TLS, get it, read it, live by Anonymous Coward · · Score: 0

    I went to the farm and helped Uncle off a horse.

  6. Re: Bulletproof SSL and TLS, get it, read it, live by arglebargle_xiv · · Score: 2

    A kiwi is a creature that eats roots and leaves.

  7. Re:Bulletproof SSL and TLS, get it, read it, live by Jack+Griffin · · Score: 2

    Shhh... don't tell anyone about SSL Labs. I know next to nothing about security but am now the security expert thanks to this site.
    I can test a site, come back and throw around some security jargon about why the site isn't secure, "Oh your cipher suites appear to be incompatible, and your hashing algorithm is out of date" and customers throw money at me to fix it.
    I don't even know what half of that stuff means, but if more people know about it, I'll be forced to find real work...

  8. but do they? by Anonymous Coward · · Score: 0

    sure ssllabs is nice and all, but it doesn't help anyone understand their company's ssl posture. the most it does it provide a letter grade for a public website with a bunch of arbitrary acronyms and cipher suites most don't understand to begin with.

    1. Re:but do they? by Morris+von+Habsburg · · Score: 1

      It's not about what average user of SSL Labs understands about it. That's why it uses just a couple of letter grades to communicate an overview of the findings. The most important part is that ordinary users can go to their hoster or a website owner and ask them why their site gets a 'D'. The people who run those web servers will know more about the detailed findings of SSL Labs and implement them accordingly.

      A personal example. I know a thing or two about SSL/TLS but some things on the SSL Labs results page are over my head too. However, when I noticed that my own site got an 'F' (because of some old cyphers that were still accepted) I filed a ticket with my hoster. A week later they had upgraded the entire shared hosting environment and upgraded everything to an 'A'. In one fell swoop many thousands of websites had their security upgraded because I sent my hoster a detailed outcome of the SSL Labs test.

  9. Re: Bulletproof SSL and TLS, get it, read it, live by BoogieChile · · Score: 1

    The hairy nosed wombat is a creature that eats roots shoots and leaves

  10. wait a sec by iggymanz · · Score: 0

    does this wonder stuff use that openssl crap if run on posix systems?

  11. Trivia about the early days of SSL Labs by yuhong · · Score: 1

    Even though it existed at this time, even SSL Labs did not bother with TLS 1.1/1.2 in the early days! SSL Labs also choked on anything stronger than 1024-bit DHE due to the use of JSSE. Of course both of these problems has been long fixed.

    1. Re:Trivia about the early days of SSL Labs by Anonymous Coward · · Score: 0

      Well, he did say that it started out as a tinker project. I think it does a pretty good job now, certainly caused me to learn a thing or two about SSL.

  12. Re:Bulletproof SSL and TLS, get it, read it, live by grep+-v+'.*'+* · · Score: 2

    I agree. And punctuation can be somewhat important as well. For example:

    Let's eat, grandma.
    Let's eat grandma.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  13. Re:Bulletproof SSL and TLS, get it, read it, live by KGIII · · Score: 1

    It's okay. The only thing I know about ModSecurity is that I should enable it when I bang out bad PHP.

    --
    "So long and thanks for all the fish."
  14. Re:Bulletproof SSL and TLS, get it, read it, live by ageoffri · · Score: 1

    Yeah, simple typo that no one can fix in the year 2015. The book is excellent.

    --
    -- Slashdot, making the Left look conservative since 1997.