« SSL Labs Distrusts WoSign and StartCom certificates | Main | Bulletproof SSL and TLS, three years later »

SSL Labs Grading Redesign (Preview 1)

June 30, 2017

We’re excited to share with you the first preview of our next-generation grading. This is something that’s long overdue but, due to lack of available time, we managed to keep up patching the first-generation grading to keep up with the times. Now, finally, we’re taking the next necessary steps to modernise how we grade servers based on our assessments.

Grading Redesign Goals

Before I show you the new version of the grading, I’d like to explain what we’re set out to achieve:

  • Cleanup. SSL Labs grading was initially designed around numerical scores in various categories. That approached worked for a period of time, back in the day when most cryptographic elements appeared to be relatively secure. This system is still employed at the core, but it’s now largely obsolete and complicates the work.
  • Simplification and assessment decoupling. Our new goal is make it easier to understand how grading is done and, perhaps more importantly, enable others to replicate our results. In other words, we wish to decouple the grading logic from our assessment implementation.
  • Meaningful grades. Although the A-F grading we have in place works great, we’re not making full use of the entire grade range. Additionally, the grades don’t have defined meanings, making it more difficult to keep the grading approach consistent over a period of time.
  • Even better security. Finally, we wish the next major update to further push security forward by requiring better security. This is something we’ve been doing regularly over the years, and this time is not going to be an exception.

Preview 1 Reveal

Without further ado, we’re releasing Preview 1 as a public Google Document with commenting enabled:

The focus on this release is on the grading algorithm concept (i.e., the way how rules are defined, specified, and processed). Although the rules themselves resemble what will actually be the next-generation criteria, they haven’t been fully tuned. In fact, our next step will be to specify the grading storage formats and build a proof-of-concept tool to compare the current grades and the future version. We intend to use this tool to refine the grades over the following months.

If it’s the criteria only that you’re interested in, please refer to my earlier blog post on this topic.

MY BOOK: If you like this blog post, you will love Bulletproof TLS and PKI. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.