Internet SSL Server Survey at Black Hat USA 2010
Ever since starting SSL Labs I wanted to know and understand how SSL was deployed in real life. The only way to find out is to perform an assessment of many (most?) public SSL servers. That's a lot of work, but, as with everything else, if you persist and make continuous progress you eventually get there. This survey has been in the making for about a year and a half now.
The survey consists of three major pieces:
- The first piece is assessment methodology, which is covered by the SSL Rating Guide. My goals for the guide were two-fold: provide a comprehensive SSL server analysis, but also make the end result easy to understand. I didn't want only SSL experts to find the guide useful.
- The second piece is the assessment tool, which implements the methodology. That's the SSL Labs online assessment tool, which has been running for a year now. The good aspect of doing things slowly is that it makes the end result better. This is especially true in this case, because it's one thing to read the RFCs -- making something work as expected in real life and interoperate with other implementations is much more difficult.
- The third and final piece is the scan of as many public SSL servers we can find, which is what we are focusing on right now.
The first results of our study will be published at my talk at Black Hat USA 2010 later this month. The good news is that all our work will be publicly available, and that we intend to continue to run the survey in regular intervals.