Actually implement rating of the gathered information

[BenBE]

The system should assign a grade based on the information gathered.

[BenBE]

Some initial thoughts on a possible rating system:

Generic SSL Rating Guide
========================

Rating Categories:
1. Certificate
2. Protocol Support
3. Feature Support
4. Key Exchange
5. Cipher Strength

Certificate
-----------

1.1 Certificate Encoding:

    -3 Points for v1
    -1 Point for v2
    +1 Point for v3

    -10 Points if the Certificate Encoding is malformed (Generic Decoding Problem)
    -5 Points if the Certificate Encoding is BER or CER instead of DER

1.2 Validity Period

    -1 Point if the certificate is not yet valid
    -1 Point if the certificate is no longer valid (expired)

    -1 Points if the certificate has expired for more than 1 week (7*86400 seconds)
    -5 Points if the certificate has expired for more than 1 month (30*86400 seconds)
    -10 Points if the certificate has expired for more than 3 months (3*30*86400 seconds)

    +1 Point if the certificate has been valid for more than 1 month (30*86400 seconds)
    +1 Point if the certificate has been valid for more than 3 months (3*30*86400 seconds)

    +1 Point if the certificate is still valid for more than 1 month (30*86400 seconds)
    +1 Point if the certificate is still valid for more than 3 months (3*30*86400 seconds)

    +1 Point if the certificate is valid (overall) for 6 months or more (6*30*86400 seconds)
    +1 Point if the certificate is valid (overall) for 1 year or more (365*86400 seconds)
    +1 Point if the certificate is valid (overall) for 2 years or more (2*365*86400 seconds)

    -1 Point if the certificate is valid (overall) for more than 37 months (37*30*86400 seconds)

1.3 Certificate Revokation

    +1 Point if the certificate contains information for CRL retrieval
    +1 Point if the certificate is not revoked according to the CRL

    +1 Point if the certificate contains information for OCSP checking
    +1 Point if the certificate is not revoked according to recent OCSP response

    -50 Points if the certificate is revoked according to the CRLs or OCSP

1.4 Certificate Chain

    +1 Point if the certificate is valid for the tested domain

    For each of the following root certificate providers:
        Mozilla Foundation (Firefox, Firefox LTS)

        Microsoft Windows XP (SP0, SP1, SP2, SP3)
        Microsoft Windows Vista (SP0, SP1)
        Microsoft Windows 7 (SP0, SP1, SP2)
        Microsoft Windows 8
        Microsoft Windows 8.1

        Arch
        CentOS
        Debian GNU/Linux (oldstable, stable, testing, unstable, experimental)
        Fedora
        Gentoo
        RedHat (RHEL 5, 6, 7)
        Ubuntu GNU/Linux (LTS 12.04, 12.10, 13.04, 13.10, LTS 14.04, 14.10)
        (Further distributions according to Distrowatch)

        (virtual) Collective Root (containing all the trust anchors above)
        (virtual) Untrusted Root (same as Collective Root, but including all roots of non-self-signed chains ever seen)
    Check the following points:
        +1 Point if the certificate can be chained to at least one root
        +1 Point for each found chain if the certificate chain is complete (i.e. is not transient-valid)
        +1 Point for each found chain if the certificate chain can be successfully validated
        -1 Point for each found chain if the certificate chain is transient-valid
        0 Points for each found chain if the certificate chain re-supplies the trust anchor (remark to user)
    Divide the sum of the previous score by the number of distinct chains found, counting a chaining-failure as ONE chain per pool
    -1 Points if the only found chain re-supplies the trust anchor

    For each distinct certificate in all found chains:
        -5 Points if the certificate signature uses SHA-0 or anything worse
        -4 Points if the certificate signature uses MD0
        -3 Points if the certificate signature uses MD2
        -2 Points if the certificate signature uses MD4
        -1 Point if the certificate signature uses MD5
        +1 Point if the certificate signature uses RIPE-MD160
        +1 Point if the certificate signature uses SHA1
        +2 Points if the certificate signature uses SHA2-224
        +3 Points if the certificate signature uses SHA2-256
        +4 Points if the certificate signature uses SHA2-384
        +5 Points if the certificate signature uses SHA2-512
        +5 Points if the certificate signature uses Whirlpool
        +5 Points if the certificate signature uses SHA3-512 (Keccak)
    N Points are additionally awarded according to the WORST rating found of all distinct, non-root certificates in all found chains
    (Note: A certificate A is included if it is NOT the root of at least one chain, or the leaf in case of a self-signed certificate)

    For each disctinct certificate in all found chains:
        -5 Points if the certified key uses RSA 256 or worse
        -4 Points if the certified key uses RSA 512 or worse
        -3 Points if the certified key uses RSA 768 or worse
        -2 Points if the certified key uses RSA 1024 or worse
        -1 Points if the certified key uses RSA 1536 or worse
        -1 Point if the certified key uses RSA 2047 or worse
        +1 Point if the certified key uses RSA 3072 or better
        +2 Points if the certified key uses RSA 4096 or better
        +3 Points if the certified key uses RSA 8192 or better
        +4 Points if the certified key uses RSA 16384 or better
        +5 Points if the certified key uses RSA 32768 or better
        -1 Point if the certified key uses RSA with a small public exponent (e < 65537)
        -5 Points if the certified key is a Debian Weak Key
        -10 Points if the certificate key uses RSA with public exponent (e = 1)

        -5 Points if the certified key uses DSA 512 or worse
        -4 Points if the certified key uses DSA 768 or worse
        -3 Points if the certified key uses DSA 1024 or worse
        -2 Points if the certified key uses DSA 1536 or worse
        -1 Point if the certified key uses DSA 2047 or worse
        +1 Point if the certified key uses DSA 3072 or better
        +2 Points if the certified key uses DSA 4096 or better
        +3 Points if the certified key uses DSA 8192 or better
        +4 Points if the certified key uses DSA 16384 or better
        +5 Points if the certified key uses DSA 32768 or better

        +1 Point if the certified key uses ECDSA
        +1 Point if the certified key uses a known curve
        +1 Point if the certified key uses a non-NIST curve
        +1 Point if the certified key uses a StrongCurve (according to strongcurve.cr.yp.to)
    N Points are additionally awarded according to the WORST rating found of all distinct, non-root certificates in all found chains
    (Note: A certificate A is included if it is NOT the root of at least one chain, or the leaf in case of a self-signed certificate)

1.5 Certificate Policy

    +1 Point if the certificate contains a known EV policy marker

Protocol Support
----------------

2.1 Offered Protocol Versions

    -5 Points if SSL Version 1 is offered
    -5 Points if SSL Version 2 is offered
    -3 Points if SSL version 3 is offered
    0 Points if TLS version 1.0 is offered
    +1 Point if TLS version 1.1 is offered
    +1 Point if TLS version 1.2 is offered
    +1 Point if TLS version 1.3 or newer is offered

2.2 Negotiable Protocol Versions

    -10 Points if SSL version 1 can be negotiated
    -10 Points if SSL version 2 can be negotiated
    -5 Points if SSL version 3 can be negotiated
    0 Points if TLS version 1.0 can be negotiated
    +1 Point if TLS version 1.1 can be negotiated
    +2 Points if TLS version 1.2 can be negotiated
    +3 Points if TLS version 1.3 can be negotiated

2.3 Version Intolerances

    For each version intolerance of an implementation award -1 Point if the intolerance exists, or +1 Point if it doesn't

Feature Support
---------------

3.1 SNI support

    +1 Point if SNI is supported

3.2 Eliptic Curve support

    +1 Point if ECC is supported

3.3 Transport Layer Compression

    -1 Point if TLS compression is supported

3.4 OCSP Stapling

    +1 Point if OCSP stapling is supported
    +1 Point if OCSP stapling returns a response
    +1 Point if OCSP stapling returns a verifyable response
    -1 Point if no stapled OCSP response was given on a connection authenticated with a certificate mising the AIA extension

3.5 Strict Transport Security

    +1 Point if HSTS is offered
    +1 Point if HSTS lasts for more than 1 month (30*86400)
    +1 Point if HSTS lasts for more than 3 months (3*30*86400)
    +1 Point if HSTS lasts for more than 6 months (6*30*86400)

3.6 ALPN / NPN

    +1 Point if NPN (Next Protocol Negotiation) is supported
    +1 Point if ALPN (Application Layer Protocol Negotiation) is supported

3.7 SPDY Support

    +1 Point if SPDY is supported

    +1 Point if SPDY 1.0 is supported
    +1 Point if SPDY 2.0 is supported
    +1 Point if SPDY 3.0 is supported
    +1 Point if SPDY 3.1 is supported
    +1 Point if SPDY 4.0 is supported

3.8 Renegotiation

    +1 Point if secure server-initiated renegotiation is available
    +1 Point if secure client-initiated renegotiation is available
    -5 Point if insecure client-initiated renegotiation is available

Key Exchange
------------

4.1 Offered Key Exchange protocols

    -10 Points if aNULL is offered
    -5 Points if ADH is offered
    -1 Point if PSK is offered
    0 Points if SRP is offered
    0 Points if RSA is offered
    +5 Points if DHE is offered
    +5 Points if ECDHE (i.e. any Eliptic Curve-based KEX) is offered

4.2 Protection against Eavesdroppers

    -5 Points if any KEX without actual authentication is offered
    +5 Points if any KEX with PFS is offered

4.3 Performed Key Exchanges

    For a list of various implementations perform a set of connection attemps as would the original software do
    (Note: If ciphers suites can be activated which aren't on by default have an additional try with all cipher suites enabled in default order)
        -1 Point if the used key exchange did not authenticate the server
        +1 Point if the used key exchange did authenticate the server
        +1 Point if the used key exchange used PFS

4.4 Diffie-Hellman Parameters

    For each KEX with DH check the parameters for validity
        -10 Points if the send "prime" is not actually prime
        -10 Points if the send subgroup of the KEX is invalid
        -10 Points if the send prime is shorter then 128 bits
        -8 Points if the send prime is shorter then 256 bits
        -6 Points if the send prime is shorter then 512 bits
        -4 Points if the send prime is shorter then 1024 bits
        -2 Points if the send prime is shorter then 1536 bits
        -1 Point if the send prime is shorter then 2047 bits
        +1 Point if the send prime is at least 3072 bits
        +2 Points if the send prime is at least 4096 bits
        +3 Points if the send prime is at least 8192 bits
        +4 Points if the send prime is at least 16384 bits
        +5 Points if the send prime is at least 32768 bits

Cipher Strength
---------------

5.1 Offered Cipher Families

    -1 Point if DES is offered
    -1 Point if 3DES is offered
    -1 Point if RC2 is offered
    -1 Point if RC4 is offered
    +1 Point if AES is offered
    +1 Point if CAMELLIA is offered
    +1 Point if XSALSA20 is offered

5.2 Offered Cipher Strength

    For each offered cipher award points for:
        1. key size (per algorithm)
        2. effective key size (per algorithm)
        3. best known attack complexity
    according to the following scheme:
        -10 Points if it is below 16 bits (AKA {hard to be read} plaintext)
        -5 Points if it is below 64 bits
        -3 Points if it is below 128 bits
        0 Points if it is exactly 128 bits
        +1 Point if it is above 128 bits
        +2 Points if it is at least 192 bits
        +5 Points if it is at least 256 bits
    (Note: Taking 3DES as an example this gives +1 for key size, -1 for effective key size and -3 for attack (given 2^84 encryptions on chosen plaintext)

5.3 Cipher Order

    +1 if the cipher order is enforced by the server
    +1 if the cipher order is monotone and decreasing

    For each offered cipher in the cipher list award:
        +1 Point if it is not strong then the cipher before

5.4 Cipher Modes

    -5 Points if ECB mode is offered
    0 Points if CBC mode is offered
    +1 Point if GCM mode is offered
    +2 Points if CCM mode is offered

    For each offered cipher suite
        -5 Points if the cipher mode is ECB
        +1 Point if the cipher mode is authenticated
        +1 Point if the authentication tag is above 128 bits
        +1 Point if the authentication tag is above 256 bits
        +1 Point if the authentication tag is above 384 bits

5.5 Negotiated Cipher

    For a list of various implementations perform a set of connection attemps as would the original software do
    (Note: If ciphers suites can be activated which aren't on by default have an additional run is scheduled with all cipher suites enabled in default order)
        -5 Points if the connection could not be established
        -1 Point if a second attempt (fallback) was necessary
        -2 Points for each (fallback) attempt after the second one

        N Points according to Cipher Family rating above
        N Points according to Cipher Strength rating above
        N Points according to Cipher Mode rating above
        N Points according to negotiated Protocol Version
        N Points according to chapter 4 (Key Exchange)

[lucaswerkmeister]

4.2: perhaps an extra reward if only PFS KEXs are offered?

I’m a bit skeptical about a purely point-based scheme. There are a lot of points going around here, so that even serious problems like Debian weak key, long expired certificate, or SSLv2 support can easily be masked. “The other SSL test” handles this by capping the grade awarded to the server based on certain conditions (e. g. broken chain ⇒ capped to “B”), which sounds like a good concept to me, though I’m not sure if we want to hand out grades or rather cap the points directly.