SSL Grade for on-premise installations is a grade given by NormShield to any monitored URL type asset with SSL support. The grade is in the range of A-F. A being the best grade and means secure and F being the worst grade and mean the most insecure. The grade is calculated through the existence of various SSL weaknesses;
- Hostname mismatch with the CN on the signature - %16
- The use of SHA-1 insecure signature - %3
- The existence of compression (resulting in CRIME SSL attack) - %7
- Famous (or infamous) Heartbleed weakness - %30
- Support of SSL Renegotiation which may result in Denial of Service attacks - %6
- ID based based unsupported session resumption which may result in performance problems - %6
- Support of weak SSLv2 - %10
- Support of now considered weak SSLv3 - %6
- Support of insecure key sizes, such as export RSA key sizes - %4
- Support of anonymous algorithms - %4
- Support of exported algorithms - %4
- Support of null algorithms - %4
Note that most of the weaknesses listed above have the different weights but non-existence of weaknesses adds up to 100 and a grade is given according to the Table 1.
|
SSL Grade |
Detail |
|
A |
If the total score is bigger than 90 |
|
B |
If the total score is bigger than 80 |
|
C |
If the total score is bigger than 70 |
|
D |
If the total score is bigger than 60 |
|
E |
If the total score is bigger than 50 |
|
F |
If the total score is bigger than 0 |
Table 1 - SSL grading table
0 Comments