Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ivan Ristic and SSL Labs: How One Man Changed the Way We Understand SSL

Posted by samzenpus on from the man-with-the-plan dept.

An anonymous reader writes: Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity. While SSL Labs was something Ristic worked on in his spare time, over time it became his main focus. In fact, over the years, the project incorporated a great number of checks that are impossible to perform manually. It's a game changer because, to assess your TLS configuration, you don't need to be an expert. Read the story about the project's evolution on Help Net Security.

17 of 25 comments (clear)

  1. Bulletproof SSL and TLS, get it, read it, live it by ageoffri · · Score: 1, Interesting
    I can't recommend the book Ivan wrote on SSL and TLS. Bulletproof SSL and TLS gives a very good overview of how SSL and TLS operate, explains some of the attacks used against SSL/TLS, and gives some information on how to configure TLS.

    I also find SSL labs to be a great tool to evaluate web sites of vendors and company hosted sites.

    --
    -- Slashdot, making the Left look conservative since 1997.
  2. Re:Bulletproof SSL and TLS, get it, read it, live by beernutz · · Score: 4, Informative

    Do you mean that you can't recommend it ENOUGH? I know these kind of corrections can seem pedantic, but the omission of a word in this case completely changes the meaning.

    --
    (stolen from DaBum) I am dyslexia of borg - your ass will be laminated.
  3. Re: Bulletproof SSL and TLS, get it, read it, live by Anonymous Coward · · Score: 1

    No it does.

  4. Several big websites get poor grades by jonwil · · Score: 1

    Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?
    YouTube (another Google asset) also gets a similarly poor grade.

    In fact every Google-owned domain I tested ALL get the B grade. Does Google not have any people on staff who understand SSL security?

    1. Re:Several big websites get poor grades by chill · · Score: 1

      If you click on one of the reported IP addresses it tells you what the issues are. In Google's case it is still accepting SSL v3 and a couple of certificates signed with SHA1.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Several big websites get poor grades by watermark · · Score: 4, Informative

      IE6 and some other older OSes don't support the new stuff (tm). The very fact that they even support the old stuff (tm) gives them a lower rating. They are a company that profits on Everyone being able to access the site, which unfortunately, somewhat compromises the security of everyone else.

    3. Re:Several big websites get poor grades by arglebargle_xiv · · Score: 1

      Why is it that Google (a company that no doubt employs some very smart people) cant fix google.com (one of the most popular sites on the entire internet) so it gets an A grade from this SSL test?

      The test is somewhat subjective. For example when I checked at one point if you used triple DES, a strong, unbroken cipher, you got marked down, but if you bought your cert from a CA that's been caught issuing fake certs, was pwned by (allegedly) Iranian hackers, or is run by the Chinese military, you were regarded as OK. The site provides a good service overall, but some of the criteria it applies are pretty subjective.

    4. Re:Several big websites get poor grades by operagost · · Score: 1

      If I'm running a website, I don't care if some fool running a 10 year old browser can't hit my site. I might not even want him to.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    5. Re:Several big websites get poor grades by ageoffri · · Score: 1

      It is all about risk management. SSL Labs takes a very pessimistic view on the technical implementation of SSL/TLS. Many times the risk when you have a score of B, doesn't justify the expense of making changes to get an A.

      --
      -- Slashdot, making the Left look conservative since 1997.
  5. Re: Bulletproof SSL and TLS, get it, read it, live by arglebargle_xiv · · Score: 2

    A kiwi is a creature that eats roots and leaves.

  6. Re:Bulletproof SSL and TLS, get it, read it, live by Jack+Griffin · · Score: 2

    Shhh... don't tell anyone about SSL Labs. I know next to nothing about security but am now the security expert thanks to this site.
    I can test a site, come back and throw around some security jargon about why the site isn't secure, "Oh your cipher suites appear to be incompatible, and your hashing algorithm is out of date" and customers throw money at me to fix it.
    I don't even know what half of that stuff means, but if more people know about it, I'll be forced to find real work...

  7. Re: Bulletproof SSL and TLS, get it, read it, live by BoogieChile · · Score: 1

    The hairy nosed wombat is a creature that eats roots shoots and leaves

  8. Trivia about the early days of SSL Labs by yuhong · · Score: 1

    Even though it existed at this time, even SSL Labs did not bother with TLS 1.1/1.2 in the early days! SSL Labs also choked on anything stronger than 1024-bit DHE due to the use of JSSE. Of course both of these problems has been long fixed.

  9. Re:Bulletproof SSL and TLS, get it, read it, live by grep+-v+'.*'+* · · Score: 2

    I agree. And punctuation can be somewhat important as well. For example:

    Let's eat, grandma.
    Let's eat grandma.

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  10. Re:but do they? by Morris+von+Habsburg · · Score: 1

    It's not about what average user of SSL Labs understands about it. That's why it uses just a couple of letter grades to communicate an overview of the findings. The most important part is that ordinary users can go to their hoster or a website owner and ask them why their site gets a 'D'. The people who run those web servers will know more about the detailed findings of SSL Labs and implement them accordingly.

    A personal example. I know a thing or two about SSL/TLS but some things on the SSL Labs results page are over my head too. However, when I noticed that my own site got an 'F' (because of some old cyphers that were still accepted) I filed a ticket with my hoster. A week later they had upgraded the entire shared hosting environment and upgraded everything to an 'A'. In one fell swoop many thousands of websites had their security upgraded because I sent my hoster a detailed outcome of the SSL Labs test.

  11. Re:Bulletproof SSL and TLS, get it, read it, live by KGIII · · Score: 1

    It's okay. The only thing I know about ModSecurity is that I should enable it when I bang out bad PHP.

    --
    "So long and thanks for all the fish."
  12. Re:Bulletproof SSL and TLS, get it, read it, live by ageoffri · · Score: 1

    Yeah, simple typo that no one can fix in the year 2015. The book is excellent.

    --
    -- Slashdot, making the Left look conservative since 1997.