Thursday, June 12th, 2008
TLS Report: Best and Worst Security Charts
Category: Security
The TLS Report is a new site that Benjamin Black has put together to watch over the security of major sites on the internet.
There have been services that watch the top sites for various statistics, but not security. The best and worst list has some surprises, namely:
- Best: UBS.com, good to see a bank up there; openid.ee, good to see an OpenID provider; worldofwarcraft.com, real-time and secure
- Worst: wachovia.com, bad to see a bank down there; usmap.cnet.navy.mi, a .mil will scare anyone; cpscontractor.nih.gov, ditto for a .gov.
Of course, there are already lots of arguments over the minutia. A really nice service though!
3.2 rating from 20 votes
damn nice tool to have. big sites like amazon, gap, jcrew etc get D’s and some are not PCI compliant.
Good to know what online etailers actually care about security.
What’s dangerous about the way this is presented is that it presenting the discussion of tranmission crypto as in SSL/TLS as the overall security stance of the site. That is just the tip of the iceberg. Who if the site has Web application security problems, transmission encryption simply isn’t going to save you then. We are only covering transmission here and the PCI mention can be misleading suggesting more unless you read the FAQ from the report site
“pci ready means that the site complies with the letter of the pci requirements ***related to transport security.*** pci ready ***does not imply pci compliance*** and the tls report is not a certified pci auditor”
so I applaud these folks for addressing the transmission/encryption security aspect of sites, my lord that should be solid. However, expanding that here at Ajaxian the way this post is presented to somehow apply to the overall security policy of the site is more than a tad bit misleading. This isn’t a minutia question this would be shoddy journalism as presented. Fix the post by adding some indication making it clear this is transport encryption issues ONLY. Otherwise A’s and F’s get more weight overall for the casual reader who doesn’t understand what is actually being measured here.
So beware fellow readers a site with an A on TLS/SSL might be an F on app security and low grades on transmission security might not hurt a site with solid app security much in an overall security score. While you might assume that getting SSL right is a good indicator of security, past experience has not proven that to be an actual correlation since those who manage CERTs and servers don’t build the sites particularly at larger organizations!
Thomas,
Thanks for the excellent feedback. It is quite challenging to balance between technical detail and at-a-glance utility when dealing with something as obscure as TLS, as I believe you recognize. I hope you would also agree that, although a good TLS configuration is but one aspect of securing a site, TLS configuration is rather a freebie for security in depth and so something folks should really shouldn’t skip over.
Ben agreed. I think you are doing a great job with your piece of the puzzle the issue is how the article presents what you do. It extrapolated too much (my point about the journalism) and thus obscures or dilutes the fine work you are doing on transport layer issues. That was my main point…keep doing what you do.