Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

With respect, I disagree that anyone should make it easier to get an A+ rating. That really should be reserved for the best of the best, where a site implements all current best practices and avoids all current weaknesses.

An A+ grade should be hard to get, and really mean something.



No, it shouldn't be hard to get and it already does mean something.

You seem to think of grades as in 'honorifics' or something. "The best of the crop are assigned an A+ to distinguish them from the rest".

But that's not what we have here. SSL Labs grades aren't "rare". They're a supposed to be a direct result of your TLS deployment practices. Given that everyone should follow best practices, everyone should aim for (and get) an A+ in an ideal world.


No, sites would be better off spending that extra effort on non-cryptographic security like protecting their DNS registration, internal spearphishing, etc.


IMO, full cryptographic security should be the baseline.

Yes, you need the other things too, but until you've got full current cryptographic security, you're simply not done in that area.


What's an example of something they could add that would make A+ harder to get, and also add meaningful security?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: