SSL Security Test Scoring Methodology
Scoring Methodology
- At the beginning of the test, server score is 100.
- Points are deducted when server configuration does not correspond to the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Points are deducted when server configuration contains exploitable vulnerabilities or weaknesses that are not yet covered by PCI DSS, HIPAA or NIST.
- Points are added for every extra best practice which is not mentioned in the PCI DSS requirements, HIPAA guidance or NIST guidelines.
- Server cannot get an "A+" if a misconfiguration makes it lose more than 10 points.
- Server gets an "N" if a tested port is closed.
- The server gets an "F" grade if HTTPS (443/tcp) port is closed but HTTP (80/tcp) port is open.
| Grade | Score |
|---|---|
A+ | Score greater than 100 |
A | Score between 90 and 99 |
A- | Score between 80 and 89 |
| Grade | Score |
|---|---|
B+ | Score between 70 and 79 |
B | Score between 60 and 69 |
B- | Score between 50 and 59 |
| Grade | Score |
|---|---|
C+ | Score between 35 and 49 |
C | Score between 20 and 34 |
F | Score lower than 20 |
Scoring
| Description | Score |
Description Certificate is an Extended Validation (EV) certificate | +10 points |
Description HTTP website redirects to HTTPS (Always-On SSL) | +10 points |
Description Server prefers cipher suites providing strong Perfect Forward Secrecy (PFS) | +10 points |
Description Server provides TLS_Fallback_SCSV extension | +10 points |
Description Server implements HTTP Strict Transport Security (HSTS) with long duration or the domain is included in HSTS preload list | +10 points |
Description Server supports TLSv1.3 | +10 points |
Description Server X509 certificate is prior to version 3 | -5 points |
Description Server certificate has been issued for more than 398 days | -5 points |
Description Server certificate has not been signed with the proper algorithm | -5 points |
Description Server does not support OCSP stapling | -5 points |
Description Server does not support neither P-256 nor P-384 curves | -5 points |
Description Server does not support some cipher suites required by NIST guidelines or HIPAA guidance | -5 points |
Description TLS cipher suites that are not approved by NIST guidelines or HIPAA guidance are supported | -5 points |
Description Server supports Elliptic Curves but does not support EC Point Format extension | -5 points |
Description Certificate chain is not provided | -10 points |
Description Website includes insecure (HTTP) content | -10 points |
Description Server accepts client-initiated secure renegotiation | -10 points |
Description Server does not provide information about support for secure renegotiation | -10 points |
Description Server does not support TLSv1.3 | -10 points |
Description Certificate chain relies on expired certificate, it can break connection for some clients. | -20 points |
Description Certificate signature is not SHA2 | -20 points |
Description Certificate does not provide revocation information | -20 points |
Description SSL is supported but TLSv1.1 or TLSv1.2 or TLSv1.3 are preferred | -20 points |
Description SSL/TLS cipher suites that are not approved by PCI DSS are supported | -40 points |
Description Certificate key length or DH parameter are too small (< 2048 bits or 256 bits for EC) | -40 points |
Description Server supports at least one elliptic curve whose size is below 224 bits | -40 points |
Description SSL is supported while TLSv1.1 or TLSv1.2 or TLSv1.3 are not | -40 points |
Description Server supports TLS compression which may allow CRIME attack | -40 points |
Description SSL/TLS cipher suites that are not approved by PCI DSS are preferred | -50 points |
Description Certificate is untrusted or invalid* | -60 points |
Description Server is vulnerable to CVE-2014-0224 (OpenSSL CCS flaw) | -60 points |
Description Server is vulnerable to CVE-2016-2107 (OpenSSL padding-oracle flaw) | -60 points |
Description Server may be vulnerable to CVE-2021-3449 (OpenSSL maliciously crafted renegotiation vulnerability) | -60 points |
Description Server is vulnerable to POODLE over TLS | -60 points |
Description Server is vulnerable to GOLDENDOODLE | -60 points |
Description Server is vulnerable to Zombie POODLE | -60 points |
Description Server is vulnerable to Sleeping POODLE | -60 points |
Description Server is vulnerable to 0-Length OpenSSL | -60 points |
Description Server accepts client-initiated insecure renegotiation | -60 points |
Description Server is vulnerable to ROBOT (Return Of Bleichenbacher's Oracle Threat) | -60 points |
Description Server is vulnerable to Heartbleed | -70 points |
* including mismatch of the certificate’s CN and SAN unless the test is for an IP and IP’s PTR matches domain from CN and SAN
