Get graded on your website SSL/TLS certificate implementation

Not all SSL/TLS implementations are the same

Posted by Janne Cederberg on January 27, 2016
Category: webdev

I think it was earlier this month when I came across an SSL/TLS certificate grading system that seemed very similar in idea as Google’s PageSpeed Insights. The way I understood it, the idea is simple: specify a URL for an https:// website and it’ll take a look at security aspects and possible concerns of the implementation.

Take a look:

Check some sites you commonly visit for example and see their grade :)

I personally learned a few new things and upped my certificate grades from the B-C range to A+.

Partial example of SSL/TLS grading result

The above is actually a mere fraction of the report provided by the service.

What’s SNI and how does it relate to HTTP/2?

The example report states: This site works only in browsers with SNI support. SNI stands for Server Name Indication and it’s GREAT!

Back in the day, before SNI, you could host a maximum of only one SSL/TLS certificate per IP address. Technically the certificate could’ve been issued covering multiple domains but nevertheless it was very limiting for running websites as https://. With the new HTTP/2 protocol certificates will be mandatory for pretty much all practical applications (though not by the spec) and hence, especially for smaller sites and webhotel services SNI is going to be a BIG deal.

You may also want to listen to Google’s Ilya Grigorik talk about the HTTP/2 protocol on the Changelog podcast:

SSL/TLS grades for a few websites

The grades in parenthesis are the grades the services received from SSL Labs test at the time of writing in the American grading of A+ to F with F meaning failing:

Please notice that running the test takes a few minutes if results are not in the cache of the service.

Further reading on SSL/TLS