The tests on this site describes a set of rules that your software use when the user wants a secure session – making sure that it connects to the proper server and not a server that impersonates the real server, and after successful identification sets up a confidential, encrypted, session with this server. That is TLS in a nutshell – a connection that provides integrity, confidentiality and identification.

Is it just a question about on or off – full security or clear text transmission?

We need more crypto on the wire – everything is better than clear text. Today, too many sessions on the Internet are sent in clear text. This is bad. The Internet Engineers in the IETF and many other organisations has come to a conclusion that all new protocols will have encryption by default.Opportunistic Security

 

In order to get more sessions encrypted, a new concept called Opportuntistic Security is being developed. The idea is that for sessions when the user hasn’t requested full security – meaning full TLS with an authenticated session – still provide encryption. Anything is better than clear text when you are surfing in a coffeeshop or a hotel.

Protocols providing OS will not replace TLS but will use TLS whenever possible – regardless of certificate. If the CA is unknown, if the certificate is self signed, if the encryption offered is poor – it’s still better than clear text.

The point is to activate encryption in the background – but not show any indication of this to the user. The user should not mix this with a secure TLS session. No locks in the user interface, no symbol for a secure session anywhere. It’s not secure – it is just a bit better than clear text that anyone easily can listen in to.

What does this mean for your application?

The application should strive for full security. But if it is connecting to services you have no control over and they provide TLS – set up a TLS connection by default. Always. Strive for the best possible connection for your users.

The IETF has published RFC 7435 that is a good starting point for reading – or why not start with the short presentation here: