HTTPS tools we wish we'd known about earlier
...and that you'll wish you knew about earlier too
July 12, 2021
So you already know tcpdump, the openssl SSL client, the Mozilla SSL Configuration Generator and the SSL Labs test. Here's a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.
badssl - live examples of improper SSL configurations
This awesome project from Chrome security developer Lucas Garron has live demonstrations of different conditions which would cause browser warnings, including expired certificates, out of date hash algorithms, weak key negotiation, incorrect hostnames, and more, each on their own subdomain. The most common ones are at the top of the page too.
It's super handy to demonstrate and replicate common SSL issues., as well as extremely rare ones. We're biased though: we pulled strings at our CA to get one of the custom certificates badssl uses. Go check out badssl and watch your browser light up in new and exciting ways!
scans.io - raw results from massive scale SSL scans
Need to see who's using different validation levels? Who's got improperly configured certificates? Who's using SNI or other tech?
Last time we needed to do a large scale SSL scan we wrote the code ourselves. Since then, we've discovered the scans.io repository of large scale SSL scan results, including handshakes, certificates and all the usual goodies you'd expect. This includes the Alexa top 1 million in JSON.
Your old whois command, once you know the query syntax
The command line whois
tool just sends a query to the server. The format of that query depends on the server - which is why the whois
docs don't properly tell you what the format is, and why most people deal with junk in their whois results. Thankfully, you can get junk-free results using a more exact query:
whois "domain microsoft.com"
Or set this up permantly in your .bash_profile
:
function quick-whois () {
command whois "domain ${1}"
}
OS X native Wireshark
Have a Mac? Inspect packets? There's now a native OSX Wireshark. It's still in Development Release, but if you own a Mac is still better than the current stable X11 version.
Anything else? Check out the discussion on Hacker News.