SSL Server Survey: what data are we collecting?
July 02, 2010
As you may have heard by now, Qualys SSL Labs is conducting a large-scale survey of SSL servers. Naturally, the focus of such survey is to collect as much data as possible, then mine it to obtain useful information.
This is the data we are currently looking at collecting:
Certificate information
- Common name
- Is the common name a wildcard?
- Alternative names
- Validity period (not before and not after)
- Revocation information (CRL and OCSP)
- Public key algorithm and size
- Signature algorithm
- Certificate chain: how many certificates are there in the chain?
- Certificate chain: Are the chains complete and well formed?
- Certificate chain: How long is the certificate chain?
- Certificate chain: keep complete raw data for subsequent deeper analysis
- Is there support for Server Gated Cryptography (both Netscape and Microsoft flavours)?
- Validation type (DV, IV/OV, EV)
- Issuer information
- Is certificate trusted (and why not if it isn't)?
Protocol support
- SSL v2
- SSL v3
- TLS v1.0
- TLS v1.1
- TLS v1.2
Cipher suite support
- Test for all known cipher suites (200+ of them)
- Cipher suite order preference test
Other
- Test support for both Insecure and secure renegotiation
- SSL session resumption support
- Debian weak RNG weakness
- Retrieve HTTP server signature
- Presence of the Strict Transport Security response header
- TLS version intolerance tests
- Grade, according to the SSL Rating Guide 2009