Thursday, June 12th, 2008

TLS Report: Best and Worst Security Charts

Category: Security

The TLS Report is a new site that Benjamin Black has put together to watch over the security of major sites on the internet.

There have been services that watch the top sites for various statistics, but not security. The best and worst list has some surprises, namely:

  • Best: UBS.com, good to see a bank up there; openid.ee, good to see an OpenID provider; worldofwarcraft.com, real-time and secure
  • Worst: wachovia.com, bad to see a bank down there; usmap.cnet.navy.mi, a .mil will scare anyone; cpscontractor.nih.gov, ditto for a .gov.

Of course, there are already lots of arguments over the minutia. A really nice service though!

TLS Bottom 20

TLS Top 20

Posted by Dion Almaer at 7:04 am
4 Comments

+++--
3.2 rating from 25 votes

4 Comments »

Comments feed TrackBack URI

damn nice tool to have. big sites like amazon, gap, jcrew etc get D’s and some are not PCI compliant.

Good to know what online etailers actually care about security.

Comment by boodie — June 12, 2008

What’s dangerous about the way this is presented is that it presenting the discussion of tranmission crypto as in SSL/TLS as the overall security stance of the site. That is just the tip of the iceberg. Who if the site has Web application security problems, transmission encryption simply isn’t going to save you then. We are only covering transmission here and the PCI mention can be misleading suggesting more unless you read the FAQ from the report site

“pci ready means that the site complies with the letter of the pci requirements ***related to transport security.*** pci ready ***does not imply pci compliance*** and the tls report is not a certified pci auditor”

so I applaud these folks for addressing the transmission/encryption security aspect of sites, my lord that should be solid. However, expanding that here at Ajaxian the way this post is presented to somehow apply to the overall security policy of the site is more than a tad bit misleading. This isn’t a minutia question this would be shoddy journalism as presented. Fix the post by adding some indication making it clear this is transport encryption issues ONLY. Otherwise A’s and F’s get more weight overall for the casual reader who doesn’t understand what is actually being measured here.

So beware fellow readers a site with an A on TLS/SSL might be an F on app security and low grades on transmission security might not hurt a site with solid app security much in an overall security score. While you might assume that getting SSL right is a good indicator of security, past experience has not proven that to be an actual correlation since those who manage CERTs and servers don’t build the sites particularly at larger organizations!

Comment by Thomas Powell — June 12, 2008

Thomas,

Thanks for the excellent feedback. It is quite challenging to balance between technical detail and at-a-glance utility when dealing with something as obscure as TLS, as I believe you recognize. I hope you would also agree that, although a good TLS configuration is but one aspect of securing a site, TLS configuration is rather a freebie for security in depth and so something folks should really shouldn’t skip over.

Comment by benjaminblack — June 12, 2008

Ben agreed. I think you are doing a great job with your piece of the puzzle the issue is how the article presents what you do. It extrapolated too much (my point about the journalism) and thus obscures or dilutes the fine work you are doing on transport layer issues. That was my main point…keep doing what you do.

Comment by Thomas Powell — June 17, 2008

Leave a comment

You must be logged in to post a comment.