ZoTrus Website Security Test Rating Service Rating GuideV1.0, June 1, 2022

Whether a website is secure or not, there are at least three basic elements, one is https encryption, the other is WAF protection, and the third is trusted identity validation, all three are indispensable. That's why the ZT Browser innovative displays three website security-related icons: encryption  waf  t4 , not only has the security padlock, but also have the cloud WAF protection icon and the website trusted identity validation level icon.

User clicks the security padlock to display the level of the website security test rating, so that the website visitors can quickly understand the security status of the website, including whether there are security vulnerabilities in the SSL certificate deployment, whether the website has cloud WAF protection and whether the website identity has been validated, and help the website owners understand the security status of their website, and take corresponding security measures to ensure the security of the website in a timely manner.

In order to improve the level of website security, ZT Browser provides free website security test rating service, the SSL security test part of this rating guide refers to the test guide of Qualys SSL Labs, and increases the SSL test of supporting the SM2 algorithm and the SM2 SSL certificate, so that the webmaster can confidently assess the SSL certificate deployment security status of the RSA/ECC/SM2 algorithm without becoming an SSL expert, and timely find security vulnerabilities and repair them in time. And it has added whether the website uses cloud WAF protection services, which cloud WAF service provider service provider uses, and whether the identity of the website has been validated. The ZoTrus Website Security Test Rating Service comprehensively assess the security status of a website from these three aspects, and strive to be complete, comprehensive, fair, and just.

1. Methodology Overview

Our approach consists of four steps:

  • First check whether the website has deployed an SSL certificate that trusted by ZT Browsers (including RSA/ECC SSL certificate and SM2 SSL certificate), if not deployed, it will prompt "Not secure" like all browsers, and it will not participate in the security test rating.
  • For websites that have deployed SSL certificates trusted by ZT Browser, we first do a comprehensive test for the deployment of SSL certificates from four dimensions, such as SSL Certificate, Protocol Support, Key Exchange, and Cipher Strength, which accounts for 60% of the total score, because the website deployment of SSL certificates is the foundation of security.
  • Then check whether the website uses cloud WAF protection, WAF protection accounts for 20% of the total score, because a website without cloud WAF protection cannot guarantee the security of the website, a variety of website attacks, such as implanted Trojan horses, web pages tampered, or SQL injection and other security issues have become a common hazard to website security. If the website uses a cloud WAF service trusted by ZT Browser, it will score 20 points, and in the future, we will introduce a third-party cloud WAF protection performance rating and give different scores based on this rating result.
  • The third check is that the website identity validation, which accounts for 20 points of the total score, because a fake website that has not passed the trusted identity validation can deploy SSL certificate and have cloud WAF protection, only the websites that have passed the trusted identity validation are trusted websites. Test system will check if the website has deployed an SSL certificate with validated identity trusted by ZT Browser, including IV SSL certificate, OV SSL certificate, and EV SSL certificate. If the website deploys a DV SSL certificate that does not validate the identity of the website, check whether the website has passed the trusted identity validation trusted by ZT Browser, including IV Certification, OV Certification and EV Certification. The Website Trusted Identity Validation Service is provided by ZT Browser and supports the website trusted validation data provided by the root CA operator that trusted by ZT Browser. Certified websites score 10 points for IV Certification, 15 points for OV Certification, and 20 points for EV Certification.

We combine the three scores into an overall score (expressed as a number between 0 and 100) and give ratings based on the score: A, B, C, D, E, F. We then apply a series of rules to fine-tune the rating, such as A to A+ to reward a good configuration, or perhaps to adjust A to A- to show attention to a slightly lacking configuration.

Table 1. Letter grade translation

Numerical Score
>= 95
>= 80
>= 70
>= 60
>= 50
>= 40
>= 30
< 30
Grade
A+
A
B+
B
C
D
E
F

2. What This Guide Does Not Cover

Our immediate goal is to focus on those configuration problems whose presence can be determined automatically without manual assessment. It is only a fully automated approach that makes it possible to perform a large-scale assessment of the website security practices. In focusing on automation, we have decided not to look for certain problems.

3. Other questions that users must understand

3.1 What Should My Score Be?

Grade B, which is the minimum requirement for the website security, corresponds to only 60 points. Websites with different purposes have different security requirements. E-government websites, bank websites, and ecommerce websites should be at least Grade A.

3.2 Is SSL Enough?

No. A non-trivial website cannot be secure if it does not implement SSL, but SSL is not enough. SSL deals with only one aspect of security, and that is the security of the communication channel between a web site and its users. SSL does not and cannot address other possible security issues that may exist on a website like various attack. View SSL as a foundation on which to build, but the foundation alone is not enough. The website also needs cloud WAF protection and website trusted identity validation.

4. Rating Criteria for Each Category

4.1 SSL Security Test

The SSL security test scores a comprehensive test on the deployment of the SSL certificate from four dimensions, such as SSL certificate, protocol support, key exchange, and cipher strength, which accounts for 60% of the total score. The full score in this item is scored according to the SSL Certificate's 60 points, and the other three dimensions account for 40 points.

4.1.1 SSL Certificate

To implement https encryption, there must be an SSL certificate. Therefore, the security of the SSL certificate itself is the most critical point in the security test, accounting for 60 scores of the four categories. A certificate that is not trusted (i.e., is not ultimately signed by a well-known certificate authority) fails to prevent man-in-the-middle (MITM) attacks and renders SSL effectively useless. A certificate that is incorrect in some other way (e.g., a certificate that has expired, revoked) erodes trust and, in the long term, jeopardizes the security of the Internet as a whole.

For these reasons, any of the following certificate issues immediately result in a zero score, ZT Browser displays as "Not secure" and does not display the results of the website security rating.

  • Domain name mismatch
  • Certificate not yet valid
  • Certificate expired
  • Use of a self-signed certificate
  • Use of a certificate that is not trusted (unknown CA or some other validation error)
  • Use of a revoked certificate
  • Insecure certificate signature (MD5 or SHA1)
  • Insecure key

Other tests include the following 8 items:

  • Whether the SSL certificate and issuing CA certificate have AIA information, score: 15 points
  • Whether the SSL certificate has an identity validation level identifier OID, score: 10 points
  • Whether the SSL certificate has Certificate Policy that point to the CA CPS URL(Issuer Statement),score: 10 points
  • Whether the SSL certificate and issuing CA certificate have EKU, score: 5 points
  • Whether the SSL certificate and issuing CA certificate have CRL and/or OCSP URL, and whether they are available, score: 15 points
  • Whether the issuing CA certificate is deployed on the server, score: 10 points
  • Whether the SSL certificate contains SCT data, score: 10 points
  • Whether the domain name has a DNS CAA record, score: 5 points
  • Certificate types: DV SSL, IV SSL, OV SSL and EV SSL, score: 20 points, they are 5 points, 10 points, 15 points and 20 points.
Note
  • Some organizations create their own private CAs to issue SSL certificates. This practice is recommended only for internal use, not for publicly accessible websites. At the same time, it is also necessary to ensure that the technical parameters of these SSL certificates can meet the baseline standards, so that the security of the internal system can be truly guaranteed.
  • For the issue of "Use of a certificate that is not trusted": For RSA/ECC algorithm SSL certificate, it means that the root certificate has not been trusted by Chromium. For SM2 algorithm SSL certificate, it means that the root certificate is not trusted by ZT Browser.

4.1.2. Web Server Configuration

SSL is a complex hybrid protocol with support for many features across several phases of operation. To account for the complexity, we rate the configuration of an SSL server in three categories: a) Protocol Support, 30 scores; b) Key Exchange, 30 scores; c) Cipher Strength, 40 scores. We calculate the final score for 40 scores as a combination of the scores in the SSL security test categories.

4.1.2.1 Protocol Support

For the SSL/TLS protocol, SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 all have known security weaknesses, with scores of 0, 80, 90, and 95, respectively, while TLS 1.2 and 1.3 are security protocols, with 100 scores. SM2 SSL protocol score 100.

4.1.2.2 Key Exchange

The key exchange phase serves two functions. One is to perform authentication, allowing at least one party to verify the identity of the other party. The other is to ensure the safe generation and exchange of the secret keys that will be used during the remainder of the session. The weaknesses in the key exchange phase affect the session in two ways:

  • Key exchange without authentication allows an active attacker to perform a MITM attack, gaining access to the complete communication channel.
  • Most servers also rely on public cryptography for the key exchange. Thus. the stronger the server’s private key, the more difficult it is to break the key exchange phase. A weak key, or an exchange procedure that uses only a part of the key (the so-called exportable key exchanges), can result in a weak key exchange phase that makes the per-session secret keys easier to compromise. Some servers use key exchange mechanisms that do not depend on the private key (the key is still used for authentication). Two popular algorithms are the ephemeral Diffie-Hellman key exchange (DHE) and its Elliptic Crypto variation ECDHE. If a separate key exchange mechanism is used, the overall strength will depend on its strength and the strength of the private key.

Table 2. Key exchange rating guide

Key exchange aspect
Score
Weak key (Debian OpenSSL flaw)
0
Anonymous key exchange (no authentication)
0
Key or DH parameter strength < 512 bits
20
Exportable key exchange (limited to 512 bits)
40
Key or DH parameter strength < 1024 bits (e.g., 512)
40
Key or DH parameter strength < 2048 bits (e.g., 1024)
80
Key or DH parameter strength < 4096 bits (e.g., 2048)
90
Key or DH parameter strength >= 4096 bits (e.g., 4096)
100
SM2
100
Note

For suites that rely on DHE or ECDHE key exchange, the strength of DH parameters is considered when determining the strength of the handshake as a whole. Many servers that support DHE use DH parameters that provide 1024 bits of security. On such servers, the strength of the key exchange will never go above 1024 bits, even if the private key is stronger (usually 2048 bits).

4.1.2.3 Cipher Strength

To break a communication session, an attacker can attempt to break the symmetric cipher used for the bulk of the communication. A stronger cipher allows for stronger encryption and thus increases the effort needed to break it. Because a server can support ciphers of varying strengths, we arrived at a scoring system that penalizes the use of weak ciphers. To calculate the score for this category, we follow this algorithm: start with the score of the strongest cipher, add the score of the weakest cipher, divide the total by 2.

Table 3. Cipher strength rating guide

Cipher strength
Score
0 bits (no encryption)
0
< 128 bits (e.g., 40, 56)
20
< 256 bits (e.g., 128, 168)
80
>= 256 bits (e.g., 256)
100

4.2 Cloud WAF Protection Test

The second element of website security is cloud WAF protection, this test accounted for 20% of the total score, because a website without cloud WAF protection cannot guarantee the security of the website, a variety of website attacks, such as implanted Trojans, web pages tampered, or SQL injection and other security issues have become a common hazard to website security. If the website uses a cloud WAF protection service trusted by ZT Browser, it will score 20 points, and in the future, we will introduce a third-party cloud WAF protection performance rating and give different service scores based on this rating result.

In this version, there are 19 cloud WAF service providers trusted by WAF protection test, which basically covers the current major service providers, and the specific list is as follows:

  • The China cloud WAF service providers: Alibaba Cloud WAF, Huawei Cloud WAF, Tencent Cloud WAF, JD Cloud WAF, CTYUN Cloud WAF, Qianxin Cloud WAF, DAS Cloud WAF, Knowsec Cloud WAF, Baishan Cloud WAF.
  • The foreign cloud WAF service providers: Cloudflare Cloud WAF, Microsoft Cloud WAF, Amazon Cloud WAF, Akamai Cloud WAF, Imperva Cloud WAF, Fortinet Cloud WAF, Fastly Cloud WAF, Barracuda Cloud WAF, F5 Cloud WAF, Radware Cloud WAF.

4.3 Website Trusted Identity Test

The third element of website security is whether the website passes the third-party trusted identity validation, this test accounted for 20% of the total score, because a fake website that has not passed the trusted identity validation can deploy SSL certificate and have cloud WAF protection, only the website that passes the trusted identity validation is a trusted website.

There are three sources of trusted identity of the website trusted by this test, one is that the website deploys the SSL certificate of validated identity trusted by ZT Browser, including IV SSL certificate, OV SSL certificate and EV SSL certificate, which can prove that the identity of the website has been validated, scoring 10 points, 15 points and 20 points respectively. The second source is that the website applied for ZoTrus Website Trusted Validation, which has nothing to do with what type of SSL certificate the website deploys, scoring 10 points through IV Certification, 15 points for OV Certification, and 20 points for EV Certification. The third source is the website trusted validation done by the root CA operator trusted by ZT Browser, and its validation information is submitted to the ZoTrus Trusted Website Database through the API, and the corresponding score can be obtained.

If a user applied for a website trusted identity validation service, the identity validation level of the website is subject to this validation level, regardless of what SSL certificate is deployed on the website.