Recent Blog Posts

I am pleased to reveal the next step in my quest to help the world make better use of encryption; starting with this September, I will teach a practical one-day practical SSL/TLS and PKI training course in London. The idea is to cover everything developers and system administrators need to... MORE »

In early 2009, SSL Labs was just this idea I had, born out of frustration with having to deal with a very complex subject without good documentation and tools. I wanted something that worked for me, and didn’t really anticipate that it could become as popular as it is today.... MORE »

Two days ago the DROWN vulnerability came to light, showing new ways to attack TLS. SSL Labs deployed tests for DROWN in the staging environment yesterday, and we’ll be pushing it to production shortly. Because DROWN is a tricky problem, the aim of this blog post is to provide an... MORE »

DROWN grading update

March 04, 2016

We are releasing an update to the grading criteria, version 2009l, to respond to the discovery of the DROWN attack. If a server is found to be vulnerable to DROWN it will be given an F, even though it might not support SSL v2 itself. (The nature of the DROWN... MORE »

A fascinating new research called DROWN has uncovered a previously-unknown vulnerability in SSL v2, the first ever version of SSL that was released in 1995 and declared dead less than a year later. Even though this old version of SSL is not used much these days, it continues to be... MORE »

I often say that Bulletproof SSL and TLS is a living book, but what does that mean exactly? It's now been one full year since the initial release, so what better time to look back to understand the process. It turns out there is a lot of work producing a... MORE »

As part of my job working on SSL Labs, I spend a lot of time helping others improve their TLS security, both directly and indirectly–by developing tools and writing documentation. Over time, I started to notice that deploying TLS securely is getting more complicated, rather than less. One possibility is... MORE »

Earlier this week we released SSL Labs 1.17.10, whose main purpose was to increase the penalty when RC4 is used with modern protocols (i.e., TLS 1.1 and TLS 1.2). We had announced this change some time ago, and then put in place on May 20. The same release introduced another... MORE »

Yesterday we released SSL Labs 1.17.10, whose main goal was to introduce grading adjustments we had talked about a month ago. We delivered the planned changes as well as a few additional tweaks. Our release coincided with an announcement of a new attack against TLS, called Logjam, and we had... MORE »

Yesterday, we released a new version of SSL Labs. In this blog post I'd like to quickly go over what was changed: there were a healthy number of improvements, a few fixes, and a large number of additions to the API. New features and assessment improvements: Added checks for Certificate... MORE »

View all posts »