Heartbleed is a scary thing. Aside from the violent-sounding name, the vulnerability in OpenSSL security protocols spans the entire internet and affects most of the sites we know, love, and use on a daily basis. Even outside of Heartbleed, not all security protocols are created equal. So how do you know who to trust?
Well, it's complicated. There are different versions of SSL and TSL, some of which are more secure than the others, and there are several steps in the encryption process that keeps sites secure, each of which exposes the user in different ways. That's why the security firm Qualsys came up with the SSL Server Test.
The test is easy. You just type in a domain address, and Qualsys performs a deep analysis on the site's SSL server before assigning it a letter grade that tells you how secure the site is. When asked exactly how they end up with a letter grade, Qualsys explained to Gizmodo that they inspect server configuration in three categories: protocol support, key exchange support, and cipher support.
In plain English, the test first checks to see which protocols the site uses (e.g. SSL 2.0 or 3.0 versus the newer, more secure TLS 1.0, 1.2, or 1.3). The result of that test, a number score, is factored into the total score. Then, the test checks the key exchange, the process through which one party verifies the identity of the other and generates keys to be used during the entire session.
Finally, the test checks the strength of the site's cipher, which is the encryption algorithm that creates the certificate used as a key between your machine and the site you're trying to access. The total score combines all three checks to come up with a number out of 100. Then, the letter grade is assigned much in the same way they're assigned in schools. Anything over 80 is an A. The B grade is 65 or greater—and so on and so forth.
Because it matters, we went ahead an looked up some of the most popular sites on the internet and made a few lists for easy reference. Most of the big sites on the internet are thankfully pretty secure. But some are more secure than others. The test returns results for each of the main entrances for a site, but because the score varies slightly based on how you access the site, we used only the scores listed for the primary domain, unless there was a major discrepancy in scores. If the test returned something other than a letter grade, the message is noted in quotes. To see the details of each test, click the letter grade.
--google.com - A
--youtube.com - A
--facebook.com - A-
--msn.com - "Unable to connect to server"
--yahoo.com - A
--twitter.com - A-
--answers.com - "Certificate not valid"
--amazon.com - B
--microsoft.com - B
--yelp.com - B