AnsweredAssumed Answered

Suggestion: Is ssltest becoming too technical and needs simplification?

Question asked by j-mailor on Feb 15, 2014
Latest reply on Mar 7, 2014 by j-mailor


ssltest is excellent, but my humble opinion it is still room for improvement in two main ways:

1. Simplification (hide non essential info).

2. Provide bonus points for users that have an excellent configuration.


As I see now ssltest is mainly positioned at web pages of poor SSL implementation. But should we only be focused in poorly designed SSL web page to become good web pages. What about excellence, what about web pages that are exceptionally good. I have tested some servers out there on the web and I see some of them have A+, but not all are the same, some are just little bit better then others, but some have a lot of additional settings, but still have the same grade A+. How to distinguish excellent from exceptional good. And is there still a room for improvements for my server having A+ setting? Is there something obvious and very easy to setup that I have missed?


Simplification should be done in a way to hide non important info (like collapsing). Details are mainly for SSL experts, but average web server administrator needs compact info and quick how to tip to solve a problem.


Bonus points immediately tell if some setting is highly important (like 1000 points if SSLv2.0 is disabled) or some setting is just minor setting (e.g. 10 points to disable SSLv3.0). Then provide grades: summing most critical settings should provide minimum setting to go above F. Sample: if having 5 critical settings then minimum 5000 points have to be made for grade is better then F. Next, if TLSv1.2 should be set then set this settings as 100 points and all of the total points less then 5100 should have grade B. Then the same logic for A and A+.


I know it is difficult to create some points like system (and you will get all sort of criticism), but such a system would constantly drive improvements, because people would suggest that some setting is more important then other, discussion is made and decision is provided which would improve the test.


I have seen many rating systems on the web and combined ideas of them to produce unique system. See proposal bellow.


From rating system should clearly seen what is good and what is bad, what can be improved and give me a quick info how can I improve the rating and improve the security.


What is your opinion?