On Fri, Jun 30, 2017 at 4:39 PM, Hanno Böck <[email protected]> wrote:
> Hi,
>
> On Fri, 30 Jun 2017 15:24:10 +0100
> Ivan Ristic <[email protected]> wrote:
>
> > Here's my new blog post about where the grading is heading:
> >
> >
> > https://blog.qualys.com/misc/2017/06/30/ssl-labs-grading-red
> esign-preview-1
> >
> > Happy to discuss here, but you can also leave comments on the document
> > itself.
>
> I skimmed through it.
>
> I'm happy that you'll finally make HSTS an "A" requirement. I think you
> announced this quite a while ago and I feel HSTS should get some push.
> Minor thing about A: I would suggest that AEADs should also become an
> "A" requirement. You're already requiring TLS 1.2 for an "A" and there
> isn't much else than AEADs that makes 1.2 safer than 1.1.
>
I think that makes sense. We'll try it like that (AEAD) and see what
happens when we simulate the new grading.
Looking at the requirements for "A+" I feel you're increasing the
> requirements quite a bit, and I'm wondering if you aren't increasing
> them to insane levels and also including quite controversial
> requirements.
> To sum up for an A+ one would need among other things:
> * TLS 1.3
> * CAA
> * OCSP stapling and muststaple
> * CT and Expect-CT
> * DANE
> * CSP
>
No, you misinterpreted the text. (And you're not alone, I got the same
comment from several other people. Also I note that someone "helpfully"
changed all "+" entries to "A+"; the "A" letter is dark blue and not very
easy to spot. I've now reverted to the original. It's unfortunate that
Google Docs apparently can't enable commenting but not the ability to
suggest changes to the text.)
The "+" in the first column is just a positive signal about a particular
technology and has no grading impact. Perhaps I can express this positive
signal in a different way to avoid confusion in the future.
There is impact only when an actual grade is in the first column, for
example "A+".
The proposed new requirements for A+ are:
- Robust HSTS
- CSP used to mitigate mixed content only (further comment below)
CSP:
> Here I'm not entirely sure I understand the requirement. It says
> "Mixed content mitigated via CSP"
> Now you can use CSP to mitigate mixed content, but you don't have to.
> HSTS already does it. Wouldn't HSTS already kinda fulfil this
> requirement?
> I think CSP is a nice and underapprechiated feature, but I'm not sure
> it belongs into the TLS space.
>
No, HSTS addresses only same-site mixed content, not not any third-party
links. You need CSP to be sure.
--
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: [email protected]
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> ssllabs-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/ssllabs-discuss
>
--
Ivan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
ssllabs-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ssllabs-discuss
