Comment by fmajid

20 hours ago

Thanks for the writeup, Ivan, I am a great fan of your work!

Now we need to get Qualys to cap SSL Labs ratings at B for servers that don't support ECH. Also those that don't have HSTS and HSTS Preload while we're at it.

5 comments

fmajid

ivanr 20 hours ago

Thanks! Sadly, SSL Labs doesn't appear to be actively maintained. I've noticed increasing gaps in its coverage and inspection quality. I left quite a while ago (2016) and can't influence its grading any more, sadly.

crote 17 hours ago
Is there a well-maintained alternative to SSL Labs you can recommend?
- ivanr 17 hours ago
  
  Yes, there is! After I left SSL Labs, I built Hardenize, which was an attempt to go wider and handle more of network configuration, not just TLS and PKI. It covers a range of standards, from DNS, over email, TLS and PKI, and application security.
  Although Hardenize was a commercial product (it was acquired in 2022 by another company, Red Sift), it has a public report that's always been free. For example:
  https://www.hardenize.com/report/feistyduck.com
  The CSP inspection in Hardenize could use a refresh, but the TLS and PKI aspects are well maintained [at the time of writing].
- Bender 16 hours ago
  
  I use testssl.sh [1] mostly because I can test things not publicly accessible.
  [1] - https://github.com/testssl/testssl.sh