If you haven’t tried the SSL Labs site analyzer against your own property, check it out. Ivan Ristić has conjured up an excellent tool that examines the characteristics of your SSL site against several metrics and then gives your site a grade. If you aren’t a cryptographer (or crypto-groupie) and don’t have time to learn which ciphers are best, if your certificate chain is broken, or you just want to know “Hey, are we good? I got stuff to do,” then the Ristić site analyzer is for you.
As a control test, here’s the report against a brand new apache2/mod_ssl site using all the defaults with a self-signed certificate. Let’s see how the analyzer grades it.
Okay, that definitely tells you something, doesn’t it? I haven’t seen a grade this bad since I bombed out of Electromagnetism II in College. The F in this example is given due to the fact that no one can really trust my site because the certificate isn’t signed by anyone that could provide proper third-party trust. But apart from that, the latest Apache2 (2.2.14) is actually pretty tight. Over 80 (B+?) for protocol support, key exchange and cipher strength.
Let’s take a look at the world’s most popular (non-search) website. How does it score?
According the analyzer, the Facebook site certificate is perfect and its crypto is grade A all the way. I think the analyzer is taking points off because Facebook might be accepting client-initiated SSL renegotiations, which would leave a non-accelerated site vulnerable to the famous Renegotiation DoS. Hardware acceleration mitigates that problem, as does this iRule.
Thinking of testing your own site? All you have to do is visit the Qualys SSL Labs SSL Server Test page and enter your domain. Note, the report of your site will appear publically unless you check the ‘Do not show the results on the boards’ checkbox. If you are expecting a bad grade, check that box before you run the test! Otherwise you might hang out your dirty SSL laundry for all to see.
Disclaimer: Qualys is an F5 partner and I consider Ivan Ristić to be a solid, stand up guy (we did a panel together last week at InfoSec Europe).