中文摘要：

SSL/TLS协议是加密网络通信的标准.然而,由于协议自身的复杂性和灵活性,使得Web网站在实现和部署SSL/TLS协议时,极易导致各种安全缺陷.鉴于SSL/TLS协议在Web网站开发中被广泛使用,然而却很少有人关注如何正确部署配置SSL/TLS协议及进行相关的安全评估.在详细分析Web网站安全评估自身特点与影响因素的基础上,提出了新的Web网站安全等级定义,并将层次分析法与模糊综合分析法相结合,构建了基于AHP-模糊综合分析的Web网站安全评估模型.之后将该模型应用到实际网站评估中,并将评估结果与QualysSSLLabs以及High-Tech的评估结果进行了对比分析,发现该模型能够较好地解决现有评估体系存在的安全等级含义不明确、忽视3DES不安全密码套件以及关键扩展OCSPStapling等问题,从而较好地说明了该模型的有效性和准确性.

英文摘要：

The SSL/TLS protocol is a standard for encrypted network communication. However, due to the complexity of the SSL/TLS protocol, Web sites are prone to various security vulnerabilities when implementing and deploying SSL/TLS protocols. We feel that there is surprisingly little attention paid to how SSL is configured？ given its widespread usage in the Web sites. Based on the detailed analysis of the characteristics and influencing factors of Web sites security assessment9 this paper puts forward a new definition of Web sites security level, and combined the analytical hierarchy process （AHP） with fuzzy comprehensive analysis method to construct a Web site security assessment model based on AHP-fuzzy comprehensive analysis. Then we apply the model to the actual sites evaluation. By contrast to the evaluation results of Qualys SSL Labs and High-Tech, we found that this model can better solve the following issues in the existing evaluation system： security level is not clear, ignoring the 3DES insecure cipher suites and critical expansion OCSP Stapling and so on？ so as to better illustrate the validity and accuracy of the model.