Neil Turner's Blog

Blogging about technology and randomness since 2002

Testing SSL server security

SSL report from ssllabs.com

If you’re a web site administrator and have a SSL certificate, then it’s useful to know that everything is working okay. Qualys SSL Labs have their SSL Test Report which will tell you, free of charge, how secure your site is and what you need to do to improve it.

The test can be run on any site, not just your own, but the information is of most use to server administrators. It tries a number of different tests to ensure that you have a verifiable certificate, and that you’re not using outdated protocols like SSL 2.0 or 3.0. Full technical details are given, as well as a summary score and grade.

You can see this site’s score in the screenshot – overall my site gets a ‘B’ grade. This is mainly because it’s possible to use the older RC4 cipher, which is quite weak when compared to newer ciphers and vulnerable to a number of attacks. There are instructions to prevent this, which involves disabling SSL compression. If I fix this, it should get an ‘A’ grade. The lowest grade is ‘F’; one server I tested got this because it was vulnerable to the POODLE attack. Test results are public unless you tick a box, and the home page shows the recent best and worst domain names.

The test takes a minute or two per domain, as it’s very thorough. It also offers information about why certain tests are important, and what the implications are if your server fails.

It’s a useful tool, and it’s great that it’s free to use. If you run a SSL-secured web site, you should definitely give this a try.

Comments are closed.