SSL SCORING METHODOLOGY
- At the beginning of the test, server score is 100.
- Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST.
- Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Server cannot get an "A+" if a misconfiguration makes it lose more than 10 points.
- Server gets an "N" if a tested port is closed.
- The server gets an "F" grade if HTTPS (443/tcp) port is closed but HTTP (80/tcp) port is open.
Grade
Score
Grade
Score
Grade
Score
A+
Score greater than 100
A
Score between 90 and 99
A-
Score between 80 and 89
B+
Score between 70 and 79
B
Score between 60 and 69
B-
Score between 50 and 59
C+
Score between 35 and 49
C
Score between 20 and 34
F
Score lower than 20
Scoring
Description
Score
Certificate is an Extended Validation (EV) certificate
+10 points
HTTP website redirects to HTTPS (Always-On SSL)
+10 points
Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS)
+10 points
Server provides TLS_Fallback_SCSV extension
+10 points
Server implements HTTP Strict Transport Security (HSTS) with long duration or the domain is included in HSTS preload list
+10 points
Server supports TLSv1.3
+10 points
Server X509 certificate is prior to version 3
-5 points
Server certificate has been issued for more than 398 days
-5 points
Server certificate has not been signed with the proper algorithm
-5 points
Server does not support OCSP stapling
-5 points
Server does not support neither P-256 nor P-384 curves
-5 points
Server does not support some cipher suites required by NIST guidelines or HIPAA guidance
-5 points
TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported
-5 points
Server supports Elliptic Curves but does not support EC Point Format extension
-5 points
Certificate chain is not provided
-10 points
Website includes insecure (HTTP) content
-10 points
Server accepts client-initiated secure renegotiation
-10 points
Server does not provide information about support for secure renegotiation
-10 points
Server does not support TLSv1.3
-10 points
Certificate chain relies on expired certificate, it can break connection for some clients
-20 points
Certificate signature is not SHA2
-20 points
Certificate does not provide revocation information
-20 points
SSL is supported but TLSv1.1 or TLSv1.2 or TLSv1.3 are preferred
-20 points
SSL/TLS cipher suites that are not approved by PCI DSS are supported
-40 points
Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC)
-40 points
Server supports at least one elliptic curve whose size is below 224 bits
-40 points
SSL is supported while TLSv1.1 or TLSv1.2 or TLSv1.3 are not
-40 points
Server supports TLS compression which may allow CRIME attack
-40 points
SSL/TLS cipher suites that are not approved by PCI DSS are preferred
-50 points
Certificate is untrusted or invalid*
-60 points
Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw)
-60 points
Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw)
-60 points
Server may be vulnerable to CVE-2021-3449 (OpenSSL maliciously crafted renegotiation vulnerability)
-60 points
Server is vulnerable to POODLE over TLS
-60 points
Server is vulnerable to GOLDENDOODLE
-60 points
Server is vulnerable to Zombie POODLE
-60 points
Server is vulnerable to Sleeping POODLE
-60 points
Server is vulnerable to 0-Length OpenSSL
-60 points
Server accepts client-initiated insecure renegotiation
-60 points
Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat)
-60 points
Server is vulnerable to Heartbleed
-70 points
* including mismatch of the certificate’s CN and SAN unless the test is for an IP and IP’s PTR matches domain from CN and SAN