Dan Wilson

Suggestion for Report Layout

Discussion created by Dan Wilson on Oct 21, 2014
Latest reply on Oct 23, 2014 by Dan Wilson

Hi Ivan, I might make a suggestion for the SSL server test report that might clarify a few items in the "Protocols" section.


Maybe it could be split into subsections to clarify what might be most important for server administrators to work on and/or improve on their server.  And within each section, maybe order it in order of importance (what I show below is my opinion):


> Security Vulnerabilities

    - Heartbleed (vulnerability)

    - OpenSSL CCS vulnerability (CVE-2014-0224)

    - POODLE attack

    - Insecure client-initiated renegotiation

    - TLS compression / CRIME attack

    - BEAST attack

    - Secure client-initiated renegotiation


> Security Enhancements

    - Forward secrecy

    - Strict Transport Security (HSTS)

    - Secure renegotiation

    - RC4

    - Downgrade attack prevention


> Performance Enhancements

    - Session resumption (caching)

    - Session resumption (tickets)

    - Heartbeat (extension)

    - Next Protocol Negotiation / SPDY

    - OCSP stapling


> Interoperability

    - Long handshake intolerance

    - TLS extension intolerance

    - TLS version intolerance

    - SSL 2 handshake compatibility


This might also assist in crafting a more up-to-date grading/scoring mechanism, since it shows the user what's most important in terms of security.  e.g. Vulnerabilities listed in the 1st section can be responsible for lowering the grade by some amount (variable dependent on the particular vulnerability) while enhancements that are enabled in the 2nd section can be responsible for raising the grade by some smaller amount (also variable, depending on the particular enhancement).