Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Future Grade is not available in the API #564

Closed
CKnoxy opened this issue Feb 9, 2018 · 4 comments
Closed

Future Grade is not available in the API #564

CKnoxy opened this issue Feb 9, 2018 · 4 comments

Comments

@CKnoxy
Copy link

@CKnoxy CKnoxy commented Feb 9, 2018

Looks like this field has been removed from the API return.?

#454

@bhushan5640
Copy link
Collaborator

@bhushan5640 bhushan5640 commented Feb 14, 2018

Yes. Future grade was used only for these changes
https://blog.qualys.com/ssllabs/2017/01/18/ssl-labs-grading-changes-january-2017

For current grade changes, the future grade is not shown on UI as well as API.
https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

If there are many Grade changes at once. We will use the Future grade feature.
We may use it for SSL Labs grading version two
https://community.qualys.com/docs/DOC-6321-ssl-labs-grading-2018

@CKnoxy
Copy link
Author

@CKnoxy CKnoxy commented Feb 20, 2018

Why wouldn’t you just keep the Field always there and if there is no expected change just have it return the same value. We use this tool extensively and would like to get assurance that if there is a planned change such as the ones coming in 1st March this year we get sight of it via the api.

@bhushan5640
Copy link
Collaborator

@bhushan5640 bhushan5640 commented Feb 20, 2018

Yes, we will use this field for further grade changes.

Basically, we have to calculate two grades for returning future grade. (current grade and future grade)
So If there are more changes coming we use future grade. Its not removed.

For fewer changes eg. F grade due to ROBOT vulnerability. It can be checked with the field "bleichenbacher" in the API. If vulnerable, the grade will be reduced to F as per announcement.
https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

Similarly "forwardSecrecy" field for grade downgrade to B grade. For AEAD you have parse ciphers returned in the API.
https://github.com/ssllabs/ssllabs-scan/blob/master/ssllabs-api-docs-v3.md

@Paradox924X
Copy link

@Paradox924X Paradox924X commented Feb 23, 2018

Is there a documentation page on these various flags and configurations that are associated with future grade changes? The API docs you reference above list the flags, but make no mention of what the impact to grade will be for each of these

For example, you mention F grade due to ROBOT vulnerability, and B grade due to forwardSecrecy field or lack of AEAD ciphers, but are those the only three future grade-impacting problems?

Even in the blog post you link above, there is a fourth change regarding treatment of Symantec certificates.

It seems more than a little unnecessary to require API users to parse each blog post and update their checks for future grade impacts on a flag-by-flag basis when SSLLabs is already doing the work to display these warnings in the UI-based scan, not to mention the seemingly ever-changing dates on when these issues will make it to the visible grade. We use SSLLabs as a valuable resource to check our certificate configuration, and protocols & ciphers posture against with a quick scan, and it doesn't make sense to build a variety of custom code to parse the myriad API results ourselves when scans by other parties would simply be done through the UI and show future results that would not be clearly and immediately represented in the API.

If futureGrade is planned to be used again, is there any potential timeline for when it will be reintroduced?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants