Since Google Chrome in July 2018 began calling out websites not using secure socket layer (SSL) encryption - sites with HTTP URLs - as "not secure," there's been a flurry of activity in adding SSL to sites, making the URLs HTTPS.
Implementing SSL looks deceptively simple. On the surface, it is - but underneath it's not. And not all the people doing it understand all the complexities that are involved.
In part, that's the case because a lot of the SSL documentation that's out there is incomplete or wrong.
Right now, only about 3% of sites with SSL implementations rate A+ in rigorous tests.
If SSL has been implemented on your website, that's good. But if there are any underlying misconfigurations or security holes, you need to identify these and get them fixed.
California-based cloud security company Qualys (NASDAC QLYS) provides an excellent, free online tool for testing SSL implementations.
In the example below, I went to the Qualys tool here https://www.ssllabs.com/ssltest/ where there's an input form that looks like this:
For purposes of example, I sent the tool off to test the website of Singaporean hotel booking site agoda.com. Here's the top-line result I got back after a few minutes:
So just by blind luck I hit on one of those rare sites with a grade of A+.
The complete report is 6 pages long, so I'm not going to reproduce all of it here. But here are a couple of key snippets:
Primary SSL Certificate information:
That shows us the identity of the issuing authority, the start and end dates of the certificate, the fact that it hasn't been revoked, and more.
Below that is information on additional certificates, followed by a Configuration section which among other things includes:
Handshake Simulation results for 50 browsers (not all shown here):
All handshakes were successful except in the case of Internet Explorer 8 running on Windows XP - a notoriously troublesome browser. The Qualys tool obviously found this to be an acceptable exception.
So Agoda's SSL implementation is in fine shape.
Is yours? Use the free Qualys tool and find out fast.
And if fixes are necessary, I'm sure the people at Qualys could help you with that.
FYI, Qualys has not compensated me in any way for this review.