I’m surprised by the contrast between the best products in each category and the average standard. The few good ones show what is possible, yet the vast majority seem to be sub-standard or outright dangerous. I wouldn’t have been surprised by the odd outlier where someone dropped the ball, but I expected much higher general standards.
If you've read that out of the paper you read a different one. Quote:
"Our grading scale focuses on the security of the TLS
handshake and does not account for the additional HTTPS
validation checks present in many browsers, such as HSTS,
HPKP, OneCRL/CRLSets, certificate transparency validation,
and OCSP must-staple. None of the products we tested
supported these features."
Read: Some products got the absolute basics right. None of the solutions did anything that can reasonably be called "good".
> I expected much higher general standards.
I didn't. I don't expect anything from security appliance vendors.
