I know, that signature check really only applies if you are buying long lived certs as otherwise it'll be updated in your next renewal (which is the situation we're in).
Though, you're probably right that I should upgrade it sooner (see, the scanner is working and forcing people to upgrade - including myself).
I also don't pass that test, but I don't know how to fix it. Something that bugs me about both this and the SSL Labs scanner is there's no guide to fixing problems. Obviously it's different from webserver to webserver, but I feel like at least Nginx and Apache suggestions should be there. Maybe lighttpd and whatever else kids are using now a days
I made this in large part because it can be so difficult to convince a non-technical stakeholder of the importance of some security aspects. With the report, this gets much easier.
I really like SSLLabs and their report, but it's really too technical to hand to a lot of people.
Further, though this isn't really explained well, is that there are some optional security elements like http->https redirection, HSTS that are just blips on the SSLLabs report that I think should be of more importance.
The Simple report was meant to be a sort of executive summary, not a deep dive.
I don't think OP is saying it's too technical for him/her, OP is saying it's too technical for clients or managers who might not be technical but who are responsible for approving changes.
Like it or not, many times non-technical people are in charge of approving technical budgets and requirements.
ssllabs took > 5 mins for a couple of sites i tried, while OP's was pretty instantaneous. It gave more detail, to be fair, but in terms of trying to catalyze a decision from a non-technical decision-maker, or for a quick sanity-check, I think I'd reach for expeditedssl.com first.
Good site. I wasn't even aware of HSTS until now. Although the lack off HSTS shouldn't affect users who check the url bar for https connection. On the other hand there is no reason not to add this into the configuration since it is trivial.
Also where is firefox's HSTS cache? Can I see it? It would be interesting.
I was just trying this out on some different sites. www.amazon.com got 2/5. I tried www.whitehouse.gov and it didn't work. I went to check it and it appears their certs aren't set up properly on the CDN they are using (akamai.net). Embarrassing!
Also, most of the time, sites without a perfect forward secrecy policy are sites intended to be accessed by a very wide crowd, including people still running IE6 (and bellow). Sometimes you just can't push the new technologies fast enough.
The HSTS header is valuable because it prevents all future requests from the client from ever going over HTTP.
So, for example, after visiting Hacker News once, the next time you type "news.ycombinator.com" into the URL bar, your browser will simply go directly to "https://news.ycombinator.com", rather than making the initial request to "http://news.ycombinator.com" as it usually would. This ensures that all future communications between the client and server are over a secure channel.
Anyone notice how google issues themself a certificate. for some crazy reason I see different results when I sign my own certs on my server... man the cert issuer oligopoly sucks...
That's because Google is a intermediary CA[1], pretty much all large institutions that use certificates for authentication are. For example, a good number universities use internet2 as a backbone and issue themselves certs under an umbrella intermediary called InCommon.
Becoming an intermediary is hard and expensive because we want the CA system to be as secure as possible. And some security measures and auditing takes money
I know sorry my irony wasnt that explicit I guess. Really I dont see how making it hard and expensive to become a CA intermediary helps security at all, it just means we have to trust those that have money and power, rarely the best idea.
I would much rather trust people who jump through some hoops to prove they're secure than people who don't (or routinely show they despite the hoop jumping, they're not -- looking at you India CCA).
By and large, the process prevents fraudulent certificates and at the cost of $5/y, I'm not horribly upset.
Would the world be a better, more perfect place with the CA system was organized differently? Maybe. But the likes of StartCOM are not the answer (predatory pricing is no bueno).
I think it depends on what you're comparing the current system with, right? I mean sure if its either no hoop jumping or you have to pay some money then you can go figure ok the person willing to give up bucks and go through the trouble is probably a little more reliable because of that. But how is that type of system ideal or secure? Currently, ssl certs give me very little assurance that any data over the connection is not being backdoored/sniffed to whomever, that the private certs arent compromised, etc. I think we shouldn't be trusting people because of hoops they go through, but because the system we use doesnt allow fraudelent players to stay in the game. Personally, I'd like to see it head in this direction:
How is namecoin any different? Its a pay to play system too. Decentralized CA's are nice and all but what happens when a state actor gains more than 50% of the hash power and can then make their own certs at will? DNSChain is also no better than GPG-signing all your assets in the end. You still have to trust that "greg" is the "greg" that has "greg" in DNSChain and no one has compromised "greg"
You only pass 4 out of 5 of our own test :P.