Reading time: approx. 2 minute(s)
I think it was earlier this month when I came across an SSL/TLS certificate grading system that seemed very similar in idea as Google’s PageSpeed Insights. The way I understood it, the idea is simple: specify a URL for an
https:// website and it’ll take a look at security aspects and possible concerns of the implementation.
Take a look: https://www.ssllabs.com/ssltest
Check some sites you commonly visit for example and see their grade :)
I personally learned a few new things and upped my certificate grades from the B-C range to A+.
The above is actually a mere fraction of the report provided by the service.
What’s SNI and how does it relate to HTTP/2?
The example report states: This site works only in browsers with SNI support. SNI stands for Server Name Indication and it’s GREAT!
Back in the day, before SNI, you could host a maximum of only one SSL/TLS certificate per IP address. Technically the certificate could’ve been issued covering multiple domains but nevertheless it was very limiting for running websites as
https://. With the new HTTP/2 protocol certificates will be mandatory for pretty much all practical applications (though not by the spec) and hence, especially for smaller sites and webhotel services SNI is going to be a BIG deal.
SSL/TLS grades for a few websites
The grades in parenthesis are the grades the services received from SSL Labs test at the time of writing in the American grading of A+ to F with F meaning failing:
- Facebook.com (B)
- Google.com (B)
- LinkedIn (A)
- Twitter.com (A+)
- Changelog.com (A+) - the source of the great podcast above
Please notice that running the test takes a few minutes if results are not in the cache of the service.
Further reading on SSL/TLS
- Basics of TLS
- Detecting Certificate Authority compromises and web browser collusion
- The EFF SSL Observatory
- Letsencrypt.org - They offer FREE domain-validated certificates! Sponsored by Chrome, Firefox, Facebook, Cisco, EFF and others.