SSL Labs Assessment Policy v2017

Part 1: New Grading Approach

• Use the entire A-F range, and A+ for exceptional configuration
• Reasonably well-configured servers get A+, A, and B.
• Servers with problems get grades C to F.
• Severity of a problem strongly influences the grade.

Part 2: Desired Configuration

Key and certificate:

• Strong private key (min. 2048-bit RSA or 256-bit ECDSA)
• Strong signature (SHA2)
• Valid publicly-trusted certificate
• Complete certificate chain
• Revocation information (except for short-lived certificates)

Protocol and configuration:

• TLS v1.2
• 128-bit cipher suites
• AEAD cipher suites
• Cipher suite preference (best possible suite is negotiated)
• Forward secrecy
• Strong key exchange
• Secure renegotiation
• Session/ticket longevity

For HTTP:

• HTTP Strict Transport Security
• No mixed content
• Secure session cookies

Part 3: Exceptional Configuration

• Certificate Transparency
• Must-staple
• HSTS with long duration, included subdomains and preloaded
• Third-party mixed content is expressly forbidden via CSP
• HPKP

Part 4: Problems

• SSL v2
• SSL v3 (POODLE)
• TLS v1.0
• Insecure renegotiation
• BEAST
• CRIME, TIME, BREACH
• Lucky 13
• RC4
• POODLE TLS
• FREAK
• Logjam
• SLOTH
• DROWN
• Heartbleed

Part 5: Performance, Interoperability, and Other

• Private keys not too long
• Server works with a wide range of clients (without compromising security)
• Key and certificate sharing
• Session cache sharing
• Indicator of performance
• Indicator of best and worst connection security, in bits