Ivan Ristic and SSL Labs: How one man changed the way we understand SSL

SmartNA PortPlus - High Performance Visibility Solutions that scale with your network.

Ivan Ristic is well-known in the information security world, and his name has become almost a synonym for SSL Labs, a project he started in early 2009. Before that, he was mostly known for his work with OWASP and the development of the wildly popular open source web application firewall ModSecurity.

“When I originally came with the idea of SSL Labs, my primary audience were people like me, those who had to deploy encryption but were faced with poor documentation and behaviours. There were so many opportunities for mistakes and misconfiguration that the only way then (and today) was to inspect a running service to be absolutely sure,” he explained to us his motivation for starting the project.

“I was well aware of the complexities of SSL deployments, because I had been using it for years. I was frustrated with the lack of tools and good documentation and I was sure that others were too. So I decided to create a tool to help myself as well as others.”

SSL Labs was a pleasure project for Ristic, something he worked on in his spare time, so it evolved slowly at the beginning. But after he joined Qualys in May 2010 and became the company’s director of engineering, he showed the project to Qualys CEO Philippe Courtot, who fell in love with it.

It took a couple more years for it to move from the status of “side project” to that of one of the main ones, but since 2013, it became Ristic’s main focus at the company, and he gives Qualys much of the credit for the project’s success.

“It’s doubtful that I would have been able to spend adequate time on it were it not for the Qualys funding, and it was that which allowed me to respond to the challenges,” he noted.

“Over the years, SSL Labs incorporated a great number of checks that are impossible to perform manually. With SSL Labs, you can do them in a minute. It’s a game changer because, to assess your TLS configuration, you don’t need to be an expert (which is extremely difficult because of how quickly things change). In other words, you can focus on your job instead,” he explained.

As time passed, there were other improvements. For example, organizations can perform automated assessments via the projects APIs – they can feed all their hostnames to the tool, automate the scanning, and know exactly when something changes (either because they broke something or because a new issue had been discovered).

“The usefulness of SSL Labs increased significantly when we started simulated capabilities of widely used clients (over 40 of them at this time), which helps with availability. Now you no longer have to be afraid if a change you’re making is going to break something. Instead, you can see exactly how a particular client would behave,” he added.

For years, and even after joining Qualys, SSL Labs’ setup was one server hosted in the cloud and Ristic as the manager. But when Heartbleed hit in April 2014, they were inundated with a million sessions in only a couple of days, and they had to scramble to pad the backend.

“Luckily, it was easy to clone that server into six to handle the load,” says Ristic. “The bigger problem was the fact that I was on vacation that week and with an unreliable Internet connection.”

After that incident, SSL Labs was moved into the Qualys’s data centre, where it remains today. Ristic remains the only developer, but the production servers are now maintained by the company’s Ops team.

SSL Labs is not only helpful to organizations, but to end users as well. An increasing number of them started to care about security, and the project allowed them to gain some visibility into the security posture of a particular web site and, consequently, this gives them an idea of whether or not a particular organization is serious about security.

“Finally, SSL Labs also works as a great tool for raising awareness about various issues. It’s now helping us transition from using weak ciphers and protocols to stronger configurations,” he pointed out.

Future plans

The future of the project looks bright. Ristic plans to revamp the grading criteria to make it easier to understand, to remove some baggage (the current version is from 2009, when SSL/TLS security was vastly different), and to add support for the assessment of protocols other than HTTP. Many other improvements are planned, but we’ll have to wait to hear about them until they are closer to becoming reality.

In the long term, the plan is to make make SSL Labs better, either by adding new features or by making it more user-friendly.

“It’s difficult to have a good plan when you are forced to react to external events,” he says. “For example, progress on new features has been slow in the last two years because I had to instead spend my development time to handle various vulnerabilities: Heartbleed, POODLE, POODLE TLS, Freak, Logjam, and others. For a while it felt like I had to run just to stay in the same place.”

Lessons learned

The project taught Ristic a great many things.

“As a user of TLS, you don’t realise how many moving parts there are behind the scenes,” he noted. “If I had to pick one thing, I’d say that I learned a lot about cryptography engineering. This comes from learning why certain features work in a certain way and, especially, why certain designs cause security issues. Apart from that, it was quite interesting to understand how much diversity there is in TLS deployments; so many different products with different capabilities and quirks. Although that doesn’t seem to be very useful at first, it actually teaches you a lot about how to design a protocol that is used by billions of devices over several decades.”

SSL Labs never stopped being a pleasure project for him. Part of the pleasure is that it is making a difference in a small way. Initially, he didn’t think about where the effort would ultimately lead and he didn’t think that SSL Labs would become so important.

“That’s the beauty of building something because _you_ need it, you don’t have to care about popularity,” he says. “Of course, I’d lie if I said I didn’t care. When you’re sharing something with others and you’re not asking them to give you money for it, the popularity of the product becomes the currency; what you’re paid with. The more popular the product gets, the more motivated you feel to work on it. So it’s like fuel for your development, in a sense.”

“My philosophy has always been to pick one thing, then persistently work on it until you understand it fully and generally do the best job you can. SSL Labs was just the right size for this approach, a good project for one person to handle,” he concluded.