Thursday, September 4, 2014

Qualys SSL Labs - SSL Report

In my HTTPS\TLS quest, I noticed when I ran Qualys SSL Labs SSL Report I received an A Overall Rating for my Blogger site running TLS under CloudFlare.  The report is very comprehensive but the results are misleading if your not paying careful attention.

You might believe if you receive an A grade your server is secure - which is not the case.  Note carefully the report indicates it's an, "SSL Report".  The report applies to the transport encryption on the target site.  The overall grade has little to do with overall site security posture.  An Overall Rating only means your encryption is strong, servers patched, and web server is properly configured for TLS.  In my case, unencrypted content was being sent along side encrypted secure content.  So while the secure content is strong and worthy of an Overall Rating of A.  The insecure content opens up all sort of security holes on the site.  This is still a favorite tool of mine but the rating only applies to encrypted transport not overall security posture for the server.

--Milton

Share It!