Recent Blog Posts

As part of my job working on SSL Labs, I spend a lot of time helping others improve their TLS security, both directly and indirectly–by developing tools and writing documentation. Over time, I started to notice that deploying TLS securely is getting more complicated, rather than less. One possibility is... MORE »

Earlier this week we released SSL Labs 1.17.10, whose main purpose was to increase the penalty when RC4 is used with modern protocols (i.e., TLS 1.1 and TLS 1.2). We had announced this change some time ago, and then put in place on May 20. The same release introduced another... MORE »

Yesterday we released SSL Labs 1.17.10, whose main goal was to introduce grading adjustments we had talked about a month ago. We delivered the planned changes as well as a few additional tweaks. Our release coincided with an announcement of a new attack against TLS, called Logjam, and we had... MORE »

Yesterday, we released a new version of SSL Labs. In this blog post I'd like to quickly go over what was changed: there were a healthy number of improvements, a few fixes, and a large number of additions to the API. New features and assessment improvements: Added checks for Certificate... MORE »

Nobody wants to use RC4. This well known stream cipher would have been retired long time ago if it weren't for several critical problems in SSL and TLS, problems that affect block ciphers only–for example, BEAST, Lucky 13, and POODLE. So RC4 ended up being the lesser evil. Take BEAST,... MORE »

Today we’re releasing the second edition of OpenSSL Cookbook, Feisty Duck's free OpenSSL book. This edition is a major update, with some improvements to the existing text and new content added. The new edition has about 95 pages, an increase of about 35 pages. Here’s a brief overview of what’s... MORE »

Officially, Apache Security—my first book—came to life in March 2005, when it was published by O'Reilly. But its life started earlier; in May 2004, I left my steady job in a pursuit of a more exciting future. Or perhaps a future in which I'd be spending more time doing what... MORE »

In the end-of-year post last month, I mentioned that SSL Labs APIs had been made available for early access. What that meant was that we wanted some people to have a look at our APIs and play with the open source reference client, but otherwise didn't want everyone to come... MORE »

From the SSL/TLS perspective, 2014 was quite an eventful year. The best way to describe what we at SSL Labs did is we kept running to stay in the same place. What I mean by this is that we spent a lot of time reacting to high profile vulnerabilities: Hearbleed,... MORE »

POODLE bites TLS

December 08, 2014

There’s a new SSL/TLS problem being announced today and it’s likely to affect some of the most popular web sites in the world, owing largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it’s... MORE »

View all posts »