Check SSL/TLS services for vulnerabilities and weak ciphers with this online SSL Scan. Makes use of sslyze, OpenSSL libraries and Nmap NSE scripts to determine the certificate details and implementation SSL/TLS service.
Identifying known vulnerabilities and cryptographic weakness with certain SSL/TLS implementations such as SSLv2 and 40 bit ciphers is an important part of the vulnerability assessment process. This hosted service enables a server to be easily tested for known security problems with the configuration, whether you are testing one server or a network.
Detect weak or vulnerable SSL services such as HTTPS
- Discover known cryptographic weakness in TLS/SSL services
- Test SSL/TLS configuration errors that can have serious security implications
- Identify weak ciphers and use of SSLv2
- Get full details of certificates.
- Membership includes access to 27 Vulnerability Scanners and OSINT Tools
- Trusted Open Source Tools
About the Online SSL Scan and Certificate Check
SSL (and TLS) provide encrypted communication layer over the network between a client and a service. The most commonly thought of service is web browsers connecting to a web server with HTTPS, but can also be Email (SMTP / POP) or any other
TCP protocol. A large number of vulnerabilities have been discovered in different implementations of these encrypted protocols. An example is
SSLv2 that has known vulnerabilities and it is recommended that it no longer be used. PCI compliance requires that SSL not actually be used with newer and more secure TLSv1.2 and TLSv1.3 protocols becoming the standard.
As mentioned SSL/TLS can be used for any TCP based service such as
SMTP or even Virtual Private Networks (VPN). For general computer users awareness has increased so they might check for the "padlock" in the browser status bar when browsing secure sites such as Internet banking and email. However, many users will not be stopped by certificate warnings in the browser and will simply click past the warning. For this reason popular browsers such as Firefox and Chrome have made it more difficult to bypass SSL/TLS browser warnings.
The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components.
OWASP Transport Layer Protection Cheat Sheet
NSE scripts this online SSL scan will test SSL/TLS enabled IP or web address and gather details of the certificate that is being used. You can use the
sslyze option to test any SSL/TLS enabled service on any port. Weak ciphers and known cryptographic vulnerabilities such as the famous Heartbleed are all tested. As are other SSL/TLS attacks from recent years including BEAST, CRIME, BREACH, DROWN, FREAK and POODLE. Recent vulnerability releases have taken vulnerability marketing to the next level with dedicated websites, logo's and press releases.
Common SSL/TLS Vulnerabilities and Attacks
A non-exhaustive list of attacks and flaws within the SSL/TLS protocol.
BEAST | CRIME | TIME | BREACH | Lucky 13 | POODLE | FREAK | Logjam | DROWN | SLOTH | Sweet32 | Bleichenbacher Padding Oracle | HEIST | HEARTBLEED | ROBOT | RC4
BEAST | Browser Exploit Against SSL/TLS
Presented in September 2011 by researchers Juliano Rizzo and Thai Duong. Browser Exploit Against SSL/TLS' aka BEAST. These are the security researchers who then went on to present the 2012 CRIME attack.
The attacker can retrieve small data fragments passing between the server and client which could contain HTTP session cookies, authentication details and other sensitive information.
On its release the recommended mitigation was to use RC4 ciphers. Following this RC4 was shown to have many weaknesses itself resulting in it being a larger security risk than the original BEAST. Most browsers implemented a 1/n-1 split which stops the attacker from predicting IV's.
In 2013 SSL labs changed their rating for BEAST. They now consider the attack sufficiently mitigated client-side.
CRIME | Compression Ratio Info-leak Made Easy
From the same researchers that bought us BEAST. In 2012 came 'Compression Ratio Info-leak Made Easy' aka CRIME. CRIME attacked the secrets held in the HTTP request headers. HTTP headers contain sensitive data such as authentication cookies.
For CRIME to work 3 elements must come together. 1. Compression: it requires Deflate / GZIP compression in particular Lz77 - this is the bit that allows this attack to work. 2. MITM attack. 3. A browser.
SSL and SPDY had an option to compress headers. CRIME issues requests for the secret with every possible character and measures the ciphertext length on each returning result. An important point to remember about SSL is that it does not hide the length of the underlying plain-text.
slideshow by Juliano Rizzo and Thai Duong.
FREAK | Factoring Attack on RSA-EXPORT Keys
Factoring Attack on RSA-EXPORT Keys aka FREAK. A vulnerability that exploited 512 bit RSA-export keys to break TLS. In the 1990s RSA encryption keys were restricted to a maximum of 512 bits.
In 2015 the FREAK researchers realised these 512 bit RSA-export keys were still around and that any web server (Apache, IIS, nginx, etc.) may be vulnerable to a MITM attack if its configuration allows the use of these.
BREACH | Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
Announced in 2013 at Black Hat by Gluck, Harris and Prado. Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext aka Breach is based off of CRIME. This is a compression side-channel based attack requiring MITM.
Breach attacks the secrets held in the HTTP response body. The original CRIME guys mentioned this could be possible (remember CRIME attacks secrets in the http request headers) in their original research.
For BREACH to work it requires the following;
HTTP Compression such as GZIP.
A MITM attack which needs a secret in the response body such as a CSRF token. The CSRF token is used to impersonate victim client to victim server. Note the MITM attack does not downgrade you to a lower cipher suite.
A stable website, one that does not change much between requests, helps but is not essential. With stable pages the attack can take place in under 30 seconds.
Breach works against any cipher suite, any version of TLS/SSL and does not require TLS compression.
HEIST | HTTP Encrypted Information can be Stolen through TCP-windows
In 2016 developers Mathy Vanhoef and Tom Van Goethem demonstrated at Black Hat 'HTTP Encrypted Information can be Stolen through TCP-windows'aka HEIST.
HEIST works with both HTTP/1 and the new HTTP/2 protocols. HTTP/2 actually making it easier due to the increase in speed. It does not break the SSL/TLS encryption - it leaks the data exchanged through a compression attack.
POODLE | Padding Oracle On Downgraded Legacy Encryption
2014 Security researchers Bodo Moller, Thai Duong and Krysztof Kotowicz published 'Padding Oracle On Downgraded Legacy Encryption' aka POODLE.
SSLv3 flaw relating to how padding is handled within the use of CBC mode. The flaw which includes insecure downgrading makes SSLv3 vulnerable to MITM attacks in which an attacker can gain access to authentication details such as passwords and cookies. SSLv3 is an obsolete protocol but it can still be around for legacy reasons.
Mitigation: Disable SSLv3. IETF releases RFC 7568 June 2015 Deprecating SSL V3.0.
DROWN | Decrypting RSA with Obsolete and Weakened eNcryption
In 2016 a group of researchers presented 'Decrypting RSA with Obsolete and Weakened eNcryption' aka DROWN.
A new form of the Bleichenbacher RSA padding oracle attack. Can affect all servers offering TLS but still supporting SSLv2. It allows an MITM attack to decrypt or steal data such as passwords, credit card numbers etc. Traffic between clients and non-vulnerable servers can be decrypted if one supports a vulnerable protocol or shares a private key with a server that allows SSLv2.
During their research the DROWN researchers discovered a vulnerability specific to servers using Openssl versions earlier than March 2015, OpenSSL 1.0.2 or OpenSSL 1.0.1l were especially vulnerable and should be upgraded immediately. OpenSSL User’s Guide to DROWN
Mitigation: Disable SSLv2 and remove support for obsolete protocols and ciphers.
Bleichenbacher Padding Oracle Attack
On original release in 1998 it was known as The Bleichenbacher Million Message Attack.
Padding oracle attack on PKCS#1 v1.5 which was the RSA padding standard used in SSL and TLS. Daniel Bleichenbacher applied his attack against SSL V3.0 protocol recovering encrypted messages from between 300 thousand - 2 million ciphertexts.
Actually quite infeasible to work in the wild due to the hundreds of thousands connections to the victim required. Which is where the DROWN guys were able to make a difference with their research. They were able to execute an attack in a few hours with little more than $400 and a cloud hosting service.
2015 attack against weak Diffie-Hellman Cipher Suites - 512 bit export cipher. The MITM gets between the client and the server. The attacker tells the server to use the weaker DH 512 bit export cipher, and the server responds 'ok, lets do that.' Even though modern browsers do not support export cipher suites, the attacker can trick the browser into using them. The the TLS connection can be then be decrypted.
Mitigation: Disable cipher suits the use the Diffie-Hellman key exchange and deploy ECDHE.
TIME | Timing info-leak made easy
2013 saw the release of 'Timing info-leak made easy' aka TIME by researchers Tal Be'ery and Amichai Shulman.
TIME similar to HEIST works from a browser for any remote attacker - ie not MITM.
Changing the attack to target web responses. This increases the attack surface. The attacker controls the plaintext allowing it to break SSL encryption or Same Origin Policy (SOP)
Mitigation: Disable compression. This completely mitigates all compression attacks but decreases performance. Randomise the secrets, such as a random CSRF token each time.
2013 CBC mode encryption in TLS was able to be enhanced with a BEAST-style attack to allow recovery of HTTP cookies.
Mitigation: At the time of release it was suggested to switching to RC4 - this quickly turned not to be a viable option as RC4 came with its own array of weaknesses. So much so the IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.
SLOTH | Security Losses from Obsolete and Truncated Transcript Hashes
2016 by researchers Karthikeyan Bhargavan and Gaetan Leurent released information on 'Security Losses from Obsolete and Truncated Transcript Hashes' SLOTH.
Exploits clients and servers signing with RSA-MD5 signatures - weak hash functions in mainstream protocols. MITM can attack with a Transcript collision attack against TLS 1.2 and other protocols.
MiTLS research | Technical paper (PDF): Transcript Collision Attacks:Breaking Authentication in TLS, IKE, and SSH
sweet32.info | Technical paper (PDF): On the Practical (In-)Security of 64-bit Block Ciphers
In 2014 possibly the biggest Internet vulnerability in recent history was a vulnerability in OpenSSL. More specifically it is an extension to the OpenSSL TLS protocol called 'HeartBeat'. This extension allowed you to keep a TLS session running even though no data had gone through in a while. This is called a HeartBeat request.
This Heartbeat extension allowed attackers to read portions of the target servers memory up to 64kb with no limit to the number of attacks, potentially revealing sensitive data directly from the server memory, leaving no trace.
The attacker can send 1kb of data to the server but say its actually 64kb. The server replies with 64kb of data, including the original 1kb and 63kb of sensitive data from memory.
The attacker can use the metasploit module on kali linux to target a website.
ROBOT | Return of Bleichenbacher oracle Threat attack
2017 bought us 'The Return of Bleichenbacher oracle Threat attack' aka ROBOT.
ROBOT takes advantage of the old vulnerability from 1998 which was used in the 2016 SSL2.0 DROWN attack. ROBOT only affects TLS cipher modes that use RCA encryption. Most recent versions of browsers prioritise ECDHE.
Use of RC4, being a Stream Cipher, was for a short while the only way to mitigate both the BEAST and Lucky 13 attacks.
IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.
Sample SSLyze Results
The following output shows the results from the
sslyze tool against the hackertarget.com domain.
As you can see a number of different tests are performed against the service to check for common SSL vulnerabilities.
CHECKING HOST(S) AVAILABILITY ----------------------------- hackertarget.com:443 => 188.8.131.52 SCAN RESULTS FOR HACKERTARGET.COM:443 - 184.108.40.206 ------------------------------------------------------ * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK * Resumption Support: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Tickets: OK - Supported * TLSV1_2 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * Deflate Compression: OK - Compression disabled * Downgrade Attacks: TLS_FALLBACK_SCSV: OK - Supported * TLSV1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK * Certificate Information: Content SHA1 Fingerprint: 0b18dad279ffe99dcf8014cfb5cafda7aa46a2a7 Common Name: hackertarget.com Issuer: Let's Encrypt Authority X3 Serial Number: 296389391754810880872914134959471387113275 Not Before: 2018-05-02 23:30:44 Not After: 2018-07-31 23:30:44 Signature Algorithm: sha256 Public Key Algorithm: RSA Key Size: 2048 Exponent: 65537 (0x10001) DNS Subject Alternative Names: [u'hackertarget.com', u'www.hackertarget.com'] Trust Hostname Validation: OK - Certificate matches hackertarget.com Android CA Store (8.1.0_r9): OK - Certificate is trusted iOS CA Store (11): OK - Certificate is trusted Java CA Store (jre-10.0.1): OK - Certificate is trusted macOS CA Store (High Sierra): OK - Certificate is trusted Mozilla CA Store (2018-04-12): OK - Certificate is trusted Windows CA Store (2018-06-02): OK - Certificate is trusted Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate Received Chain: hackertarget.com --> Let's Encrypt Authority X3 Verified Chain: hackertarget.com --> Let's Encrypt Authority X3 --> DST Root CA X3 Received Chain Contains Anchor: OK - Anchor certificate not sent Received Chain Order: OK - Order is valid Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more OCSP Stapling OCSP Response Status: successful Validation w/ Mozilla Store: OK - Response is trusted Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Cert Status: good Cert Serial Number: 036702987A59AEEA903CF885616C8B22773B This Update: Jun 17 00:00:00 2018 GMT Next Update: Jun 24 00:00:00 2018 GMT * TLSV1_3 Cipher Suites: Server rejected all cipher suites. * SSLV3 Cipher Suites: Server rejected all cipher suites. * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * ROBOT Attack: OK - Not vulnerable SCAN COMPLETED IN 6.17 S ------------------------