'Bulletproof SSL and TLS' joins 'The Illustrated Network' and the 'Unix and Linux System Administration Handbook' as the 'if you're going to read one book' book for its topic. Which is a massive achievement.
Random question from another HN thread: did a 4096 bit RSA used to be required to get A+?
It might still be, but the per-category scores are no longer shown. (You can infer the values from the chart.) There's also a per-report score that is not shown any more either. That's because those scores are not really important; only the letter grade is.
The grading criteria should be tweaked (it's on the todo list still) not to favour "too much" security because that affects site performance. It's not easy having one grading approach for all sites.
SSL labs is brilliant and I've thought about 'why do qualys do this, what are they trying to sell.' I mean. You can't do anything meaningful with the data that you couldn't have done with automated scanning.
It has definitely made me remember the brand in a fond way, service above profit is something I respect a lot and if they had something I need I would consider them above cheaper competitors.
Having been on the inside, everyone at Qualys simply loved SSL Labs in the same way everyone else did. There's never been an agenda for it, only "it's good for security so we'll keep supporting it".
There's a funny story about how SSL Labs ended up at Qualys, by the way. After accepting the job (to do something else not related to SSL/TLS), I showed SSL Labs to the CEO, Phillipe Courtot. He loved it and wanted it. I offered it to him purely because I thought it would be too big for a hobby project; I didn't want a serious distraction from my day job :)
Ivan Ristic has done a remarkable service to the Internet with SSLLabs and ModSecurity, and he has done so with a fantastically positive attitude all throughout. Thank you Ivan, I'll be curious to see what you come up with next ;)
Haven't even thought about what Qualys does or why they are doing this for free, just went to the site anytime I needed to verify SSL configuration status.
Such a fabulous service without asking for anything in return. Such a tremendous contribution in raising the awareness and enabling people to make their configurations more sure.
You're right, sorry! I've added a couple of links now. I spent a lot of time thinking about what I was going to write that I forgot to think about anything else :)
This post made me realize the human effort behind all of these tools that I use and love like SSL Labs but I take for granted. Thank you for your work and to all the other free tool authors that go unrecognized.
I'm also a happy user of SSL Labs and reader of Bulletproof SSL and TLS. One very cool thing about the book is that if you purchase the hard copy (I got it from Amazon, for example), they'll email you epub, PDF, and web versions for free. The web version is perfect for reference at work. And the book gets updates too (http://blog.ivanristic.com/2015/08/bulletproof-maintenance.h...).
Thank you Ivan. Over the last many years - when it came to SSL/TLS and web security questions - so often I found a solution in one of your blog posts or forum comments. I can't wait to read your book. All the best.
'Bulletproof SSL and TLS' joins 'The Illustrated Network' and the 'Unix and Linux System Administration Handbook' as the 'if you're going to read one book' book for its topic. Which is a massive achievement.
Random question from another HN thread: did a 4096 bit RSA used to be required to get A+?