« Large-scale passive SSL monitoring at ICSI | Main | RC4 in TLS is broken: Now what? »

SSL Labs update increases security requirements

February 07, 2013

The SSL threat landscape has changed significantly since the rating guide was first published, back in 2009. The original text is thus no longer entirely adequate to deal with the threats of today. In addition, we now have several years of experience using the criteria in real life, and we know what works well and what not so much.

Our plan is to update the rating criteria to take all this new knowledge into account. However, because that process will take several months to complete and because an update to the guide is long overdue, we have decided to release a small patch release, labelling it 2009c. The year in the version number indicates that this is conceptually the same guide as previously published, with improvements.

Essentially, the purpose of this release is to keep the rating criteria relevant for a little while longer, until the next major version is ready. The text of the original document remains as is, but the following changes apply:

  • SSL 2.0 is not allowed (F).
  • Insecure renegotiation is not allowed (F).
  • Vulnerability to the BEAST attack caps the grade to B.
  • Vulnerability to the CRIME attack caps the grade to B.
  • The score (0-100) is not shown any more, in order to focus on the grade, which is more useful. Future versions of the guide will probably remove the score altogether.

In addition, we've taken the opportunity to remove the old configuration advice, directing the readers to our SSL/TLS Deployment Best Practices document instead.

MY NEXT BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. This book contains everything you need to know about SSL, TLS, and PKI to deploy secure servers and web applications. It is available now.

For a preview of the content, read my free OpenSSL Cookbook.