search

ssllabs / ssllabs-scan

A command-line reference-implementation client for SSL Labs APIs, designed for automated and/or bulk testing.
https://www.ssllabs.com/projects/ssllabs-apis/
Apache License 2.0
1.69k stars 239 forks source link

Return numeric grade point with each endpoint in API response #373

Open keithws opened 8 years ago

keithws commented 8 years ago

When a hostname has multiple endpoints, it would be helpful to be able to sort the endpoints by grade. If a numeric representation of the grade was included in the API response for each endpoint, then clients could reliably identify the endpoint with best and worst grade.

I see two possible numeric values that could be returned with each endpoint.

  1. The grade point value as used to calculate a grade point average in academics.
  2. The overall score, expressed as a number between 0 and 100. Unfortunately, the SSL Server Rating Guide makes it clear that the overall score may not match the final letter grade because some aspects of server configuration that cannot be expressed via numerical scoring.

So, it appears that converting the final letter grade to a number is the better option.

I propose the following table be used to convert grades to grade points. It mostly follows the de facto standard for calculating grade point averages in the US with the following exceptions. A distinction is made between an A+ and an A and I assigned values for the additional grades that SSL Labs has defined, E, T, and M.

Grade Points
A+ 4.3
A 4.0
A- 3.7
B 3.0
C 2.0
D 1.0
E 0.5
F 0.0
T 0.0
M 0.0

With this data provided by the API, then all clients can consistently identify the lowest grade in a set of endpoints. Additionally, all clients would now have a way to calculate a grade point average for all the endpoints for a host or even calculate a grade point average for multiple hostnames.

I believe it is important for the API to define this instead of each API client implementing their own version.

keithws commented 8 years ago

This would also help resolve issue #165 and issue #181.

ivanr commented 8 years ago

Why is it helpful to have the endpoints sorted by grade? Surely, if you do have many servers behind the same name, all of them should have the same grade? So to me it seems more useful to identify configuration differences rather than score differences. In other words, what I am asking is this: how would this feature be used in real life?

roycewilliams commented 8 years ago

I find this useful. Sorting by grade enables high-level triage of many hosts. Some people -- auditors, people with large campuses/deployments, etc. -- use the API to evaluate hundreds or thousands of servers.

I think a lot of us are doing it. Keith is right that it is better to centralize this in the API instead of everyone inventing it from scratch.