
SSL Labs in 2016 and Beyond - mostafah
https://blog.qualys.com/ssllabs/2016/05/16/ssl-labs-in-2016-and-beyond
======
nailer
We love you Ivan!

'Bulletproof SSL and TLS' joins 'The Illustrated Network' and the 'Unix and
Linux System Administration Handbook' as the 'if you're going to read one
book' book for its topic. Which is a massive achievement.

Random question from another HN thread: did a 4096 bit RSA used to be required
to get A+?

~~~
ivanr
Thanks! (No, 4096-bit RSA has never been required for A+.)

~~~
blfr
It used to be for 4x100 though.

~~~
ivanr
It might still be, but the per-category scores are no longer shown. (You can
infer the values from the chart.) There's also a per-report score that is not
shown any more either. That's because those scores are not really important;
only the letter grade is.

The grading criteria should be tweaked (it's on the todo list still) not to
favour "too much" security because that affects site performance. It's not
easy having one grading approach for all sites.

------
dijit
SSL labs is brilliant and I've thought about 'why do qualys do this, what are
they trying to sell.' I mean. You can't do anything meaningful with the data
that you couldn't have done with automated scanning.

It has definitely made me remember the brand in a fond way, service above
profit is something I respect a lot and if they had something I need I would
consider them above cheaper competitors.

~~~
ivanr
Having been on the inside, everyone at Qualys simply loved SSL Labs in the
same way everyone else did. There's never been an agenda for it, only "it's
good for security so we'll keep supporting it".

There's a funny story about how SSL Labs ended up at Qualys, by the way. After
accepting the job (to do something else not related to SSL/TLS), I showed SSL
Labs to the CEO, Phillipe Courtot. He loved it and wanted it. I offered it to
him purely because I thought it would be too big for a hobby project; I didn't
want a serious distraction from my day job :)

~~~
yuhong
Trivia: Even SSL Labs was limited to TLS 1.0 and 1024-bit DHE in the early
days, because they themselves used JSSE.

~~~
antod
If it was JSSE, from memory it was probably only 768bit DHE. I think that only
changed with Java 8.

~~~
yuhong
Yes, but I am talking about client not server.

------
jvehent
Ivan Ristic has done a remarkable service to the Internet with SSLLabs and
ModSecurity, and he has done so with a fantastically positive attitude all
throughout. Thank you Ivan, I'll be curious to see what you come up with next
;)

------
nodesocket
Kudos Ivan. I use SSL Labs regularly, and it's been a very important tool in
my ops tool chain. Best of luck in the future.

------
jlgaddis
Thanks for SSL Labs, Ivan, and best of luck to you in your new endeavor/role!

------
tmd83
Haven't even thought about what Qualys does or why they are doing this for
free, just went to the site anytime I needed to verify SSL configuration
status.

Such a fabulous service without asking for anything in return. Such a
tremendous contribution in raising the awareness and enabling people to make
their configurations more sure.

------
aw3c2
Aaaah, there is no link to [https://www.qualys.com/](https://www.qualys.com/)
or [https://www.ssllabs.com/](https://www.ssllabs.com/) anywhere on this blog!

~~~
ivanr
You're right, sorry! I've added a couple of links now. I spent a lot of time
thinking about what I was going to write that I forgot to think about anything
else :)

------
paulirwin
This post made me realize the human effort behind all of these tools that I
use and love like SSL Labs but I take for granted. Thank you for your work and
to all the other free tool authors that go unrecognized.

------
calvins
I'm also a happy user of SSL Labs and reader of Bulletproof SSL and TLS. One
very cool thing about the book is that if you purchase the hard copy (I got it
from Amazon, for example), they'll email you epub, PDF, and web versions for
free. The web version is perfect for reference at work. And the book gets
updates too ([http://blog.ivanristic.com/2015/08/bulletproof-
maintenance.h...](http://blog.ivanristic.com/2015/08/bulletproof-
maintenance.html)).

Thanks Ivan!

------
djhworld
I went on a training course given by Ivan last year, it definitely improved my
understanding of HTTPS/SSL, great effort all round.

------
rsajan
Thank you Ivan. Over the last many years - when it came to SSL/TLS and web
security questions - so often I found a solution in one of your blog posts or
forum comments. I can't wait to read your book. All the best.

