Check SSL/TLS services for vulnerabilities and weak ciphers with this online SSL Scan. Makes use of the excellent sslyze and OpenSSL to gather the certificate details and measure security of the SSL/TLS implementation.

Identifying known vulnerabilities and cryptographic weakness with certain SSL/TLS implementations such as SSLv2 and weak ciphers is an important part of the vulnerability assessment process. This hosted service enables a server to be easily tested for known security problems with the configuration, whether you are testing one server or a network.

lock-check-outline
Launch SSL / TLS Scan

Free SSL / TLS Scan to check the ciphers in use, certificate validity and configuration errors.

Test any SSL/TLS based services (https / smtps / pop3s / ftps) to gain immediate insight into the hosts security posture. With a membership test services in bulk with SSLyze for all known vulnerabilities.

Items Checked in Free Scan
  • Certificate Informaiton
  • Valid & Trusted Cert Check
  • Identify SSL/TLS protocols in use
  • Enumerate Ciphers


Membership Benefits

Tap into the potential for advanced exploitation or vulnerability assessment of web servers and websites with exclusive access.

Cryptographic weakness

Discover known cryptographic weakness in TLS/SSL services

Certificate details

Analyze SSL/TLS and Retrieve Certificate Info.

SSL / TLS vulnerabilities

Identify known SSL / TLS vulnerabilities.

OSINT

Access to 27 Vulnerability Scanners and OSINT Tools

Configuration errors

Test for SSL/TLS configuration errors

Open Source Tools

Trusted Open Source Tools

About the Online SSL Scan and Certificate Check

SSL (and TLS) provide an encrypted communication layer over the network between a client and a service. The most commonly thought of service is web browsers connecting to a web server with HTTPS, but can also be Email (SMTP / POP) or any other TCP protocol. A large number of vulnerabilities have been discovered in different implementations of these encrypted protocols. An example is SSLv2 that has known vulnerabilities and it should not be used. PCI compliance requires that SSLv2 (and SSLv3) not be used with newer and more secure TLSv1.2 and TLSv1.3 protocols now the standard.

As mentioned, SSL/TLS can be used for any TCP based service such as FTP, NNTP, SMTP or even Virtual Private Networks (VPN). For general computer users awareness has increased so they might check for the "padlock" in the browser status bar when browsing secure sites such as Internet banking and email. However, many users will not be stopped by certificate warnings in the browser and will simply click past the warning. For this reason popular browsers such as Firefox and Chrome have made it more difficult to bypass SSL/TLS browser warnings.

"The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components."
- OWASP Transport Layer Protection Cheat Sheet

Using the open source tool sslyze, this online SSL scan will test SSL/TLS enabled IP or web address and gather details of the certificate that is being used. You can use the sslyze option to test any SSL/TLS enabled service on any port. Weak ciphers and known cryptographic vulnerabilities such as the famous Heartbleed are all tested. As are other SSL/TLS attacks from recent years including BEAST, CRIME, BREACH, DROWN, FREAK and POODLE. Recent vulnerability releases have taken vulnerability marketing to the next level with dedicated websites, logo's and press releases.

Other TLS/SSL testing tools include:

Nmap NSE scripts (ssl-enum-cipers, ssl-cert)

TestSSL.sh is a free tool that uses only bash and the install SSL/TLS libraries (testssl.sh) OpenVAS (GVM) comes with a full set of vulnerability tests for SSL/TLS (OpenVAS)

Common SSL/TLS Vulnerabilities and Attacks

A non-exhaustive list of attacks and flaws within the SSL/TLS protocol.

BEAST | CRIME | TIME | BREACH | Lucky 13 | POODLE | FREAK | Logjam | DROWN | SLOTH | Sweet32 | Bleichenbacher Padding Oracle | HEIST | HEARTBLEED | ROBOT | RC4

BEAST  |  Browser Exploit Against SSL/TLS

Presented in September 2011 by researchers Juliano Rizzo and Thai Duong. Browser Exploit Against SSL/TLS' aka BEAST. These are the security researchers who then went on to present the 2012 CRIME attack.

Using a MITM attack which includes a JavaScript or applet injecton into the same origin of the website, the attacker leverages IV = Initialization Vector weaknesses in CBC (cipher block chaining) in older versions of TLS/SSL - these being TLS v1.0, SSL v3.0 and lower.

The attacker can retrieve small data fragments passing between the server and client which could contain HTTP session cookies, authentication details and other sensitive information.

On its release the recommended mitigation was to use RC4 ciphers. Following this RC4 was shown to have many weaknesses itself resulting in it being a larger security risk than the original BEAST. Most browsers implemented a 1/n-1 split which stops the attacker from predicting IV's.

In 2013 SSL labs changed their rating for BEAST. They now consider the attack sufficiently mitigated client-side.

Paper presented by Duong and Rizzo - Here come the Ninjas

CRIME  |  Compression Ratio Info-leak Made Easy

From the same researchers that bought us BEAST. In 2012 came 'Compression Ratio Info-leak Made Easy' aka CRIME. CRIME attacked the secrets held in the HTTP request headers. HTTP headers contain sensitive data such as authentication cookies.

For CRIME to work 3 elements must come together. 1. Compression: it requires Deflate / GZIP compression in particular Lz77 - this is the bit that allows this attack to work. 2. MITM attack. 3. A browser.

SSL and SPDY had an option to compress headers. CRIME issues requests for the secret with every possible character and measures the ciphertext length on each returning result. An important point to remember about SSL is that it does not hide the length of the underlying plain-text.

Mitigation: Turn off TLS/SSL compression. (Side-note: SPDY was deprecated in 2015 and has been replaced with HTTP/2)

slideshow by Juliano Rizzo and Thai Duong.

FREAK  |  Factoring Attack on RSA-EXPORT Keys

Factoring Attack on RSA-EXPORT Keys aka FREAK. A vulnerability that exploited 512 bit RSA-export keys to break TLS. In the 1990s RSA encryption keys were restricted to a maximum of 512 bits.

In 2015 the FREAK researchers realised these 512 bit RSA-export keys were still around and that any web server (Apache, IIS, nginx, etc.) may be vulnerable to a MITM attack if its configuration allows the use of these.

BREACH  |  Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext

Announced in 2013 at Black Hat by Gluck, Harris and Prado. Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext aka Breach is based off of CRIME. This is a compression side-channel based attack requiring MITM.

Breach attacks the secrets held in the HTTP response body. The original CRIME guys mentioned this could be possible (remember CRIME attacks secrets in the http request headers) in their original research.

For BREACH to work it requires the following;

  • HTTP Compression such as GZIP.
  • A MITM attack which needs a secret in the response body such as a CSRF token. The CSRF token is used to impersonate victim client to victim server. Note the MITM attack does not downgrade you to a lower cipher suite.
  • A stable website, one that does not change much between requests, helps but is not essential. With stable pages the attack can take place in under 30 seconds.

Breach works against any cipher suite, any version of TLS/SSL and does not require TLS compression.

Mitigations from Angelo Prado, Neal Harris and Yoel Gluck breachattack.com

Black Hat 2013 POC SSL gone in 30 seconds. A BREACH beyond CRIME

HEIST | HTTP Encrypted Information can be Stolen through TCP-windows

In 2016 developers Mathy Vanhoef and Tom Van Goethem demonstrated at Black Hat 'HTTP Encrypted Information can be Stolen through TCP-windows'aka HEIST.

HEIST works by exploiting the way HTTPS responses are delivered over TCP and does not require a MITM attack. All is takes is a JavaScript file hidden in a web advert or hosted directly on a webpage that measures the exact size of the encrypted files that are being transmitted to users' browsers. Using this technique BREACH and CRIME can be performed directly in the browser with no network access.

HEIST works with both HTTP/1 and the new HTTP/2 protocols. HTTP/2 actually making it easier due to the increase in speed. It does not break the SSL/TLS encryption - it leaks the data exchanged through a compression attack.

Black Hat Briefing, slideshow and presentation.

POODLE | Padding Oracle On Downgraded Legacy Encryption

2014 Security researchers Bodo Moller, Thai Duong and Krysztof Kotowicz published 'Padding Oracle On Downgraded Legacy Encryption' aka POODLE.

SSLv3 flaw relating to how padding is handled within the use of CBC mode. The flaw which includes insecure downgrading makes SSLv3 vulnerable to MITM attacks in which an attacker can gain access to authentication details such as passwords and cookies. SSLv3 is an obsolete protocol but it can still be around for legacy reasons.

Mitigation: Disable SSLv3. IETF releases RFC 7568 June 2015 Deprecating SSL V3.0.

POODLE white paper (PDF): This Poodle bites  |  Stackexchange: SSL3 “POODLE” Vulnerability

DROWN  |  Decrypting RSA with Obsolete and Weakened eNcryption

In 2016 a group of researchers presented 'Decrypting RSA with Obsolete and Weakened eNcryption' aka DROWN.

A new form of the Bleichenbacher RSA padding oracle attack. Can affect all servers offering TLS but still supporting SSLv2. It allows an MITM attack to decrypt or steal data such as passwords, credit card numbers etc. Traffic between clients and non-vulnerable servers can be decrypted if one supports a vulnerable protocol or shares a private key with a server that allows SSLv2.

During their research the DROWN researchers discovered a vulnerability specific to servers using Openssl versions earlier than March 2015, OpenSSL 1.0.2 or OpenSSL 1.0.1l were especially vulnerable and should be upgraded immediately. OpenSSL User’s Guide to DROWN

Mitigation: Disable SSLv2 and remove support for obsolete protocols and ciphers.

Drownattack.com

Bleichenbacher Padding Oracle Attack

On original release in 1998 it was known as The Bleichenbacher Million Message Attack.

Padding oracle attack on PKCS#1 v1.5 which was the RSA padding standard used in SSL and TLS. Daniel Bleichenbacher applied his attack against SSL V3.0 protocol recovering encrypted messages from between 300 thousand - 2 million ciphertexts.

Actually quite infeasible to work in the wild due to the hundreds of thousands connections to the victim required. Which is where the DROWN guys were able to make a difference with their research. They were able to execute an attack in a few hours with little more than $400 and a cloud hosting service.

LOGJAM

2015 attack against weak Diffie-Hellman Cipher Suites - 512 bit export cipher. The MITM gets between the client and the server. The attacker tells the server to use the weaker DH 512 bit export cipher, and the server responds 'ok, lets do that.' Even though modern browsers do not support export cipher suites, the attacker can trick the browser into using them. The the TLS connection can be then be decrypted.

Mitigation: Disable cipher suits the use the Diffie-Hellman key exchange and deploy ECDHE.

Weak Diffie-Hellman and the Logjam Attack  |  Technical details logjam mitls

TIME  |  Timing info-leak made easy

2013 CBC mode encryption in TLS was able to be enhanced with a BEAST-style attack to allow recovery of HTTP cookies.

Mitigation: At the time of release it was suggested to switching to RC4 - this quickly turned not to be a viable option as RC4 came with its own array of weaknesses. So much so the IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.

"Lucky thirteen: breaking the TLS and DTLS record protocols"

SLOTH  |  Security Losses from Obsolete and Truncated Transcript Hashes

2016 by researchers Karthikeyan Bhargavan and Gaetan Leurent released information on 'Security Losses from Obsolete and Truncated Transcript Hashes' SLOTH.

Exploits clients and servers signing with RSA-MD5 signatures - weak hash functions in mainstream protocols. MITM can attack with a Transcript collision attack against TLS 1.2 and other protocols.

MiTLS research  |  Technical paper (PDF): Transcript Collision Attacks:Breaking Authentication in TLS, IKE, and SSH

Sweet 32

In 2016 Security Researchers Karthikeyan Bhargavan and Gaetan Leurent demonstrated a MITM birthday attack against block ciphers that use 64-bit encryption blocks such as 3DES and Blowfish. They were able to recover secure HTTP cookies using javascript to generate traffic.

sweet32.info  |  Technical paper (PDF): On the Practical (In-)Security of 64-bit Block Ciphers

HeartBleed

In 2014 possibly the biggest Internet vulnerability in recent history was a vulnerability in OpenSSL. More specifically it is an extension to the OpenSSL TLS protocol called 'HeartBeat'. This extension allowed you to keep a TLS session running even though no data had gone through in a while. This is called a HeartBeat request.

This Heartbeat extension allowed attackers to read portions of the target servers memory up to 64kb with no limit to the number of attacks, potentially revealing sensitive data directly from the server memory, leaving no trace.

The attacker can send 1kb of data to the server but say its actually 64kb. The server replies with 64kb of data, including the original 1kb and 63kb of sensitive data from memory.

The attacker can use the metasploit module on kali linux to target a website.

Heartbleed.com

ROBOT  |  Return of Bleichenbacher oracle Threat attack

2017 bought us 'The Return of Bleichenbacher oracle Threat attack' aka ROBOT.

ROBOT takes advantage of the old vulnerability from 1998 which was used in the 2016 SSL2.0 DROWN attack. ROBOT only affects TLS cipher modes that use RCA encryption. Most recent versions of browsers prioritise ECDHE.

Robotattack.org

RC4

Use of RC4, being a Stream Cipher, was for a short while the only way to mitigate both the BEAST and Lucky 13 attacks.

IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.

Sample SSLyze Results

The following output shows the results from the sslyze tool against the hackertarget.com domain.

As you can see a number of different tests are performed against the service to check for common SSL vulnerabilities.

CHECKING HOST(S) AVAILABILITY
 -----------------------------

   hackertarget.com:443                       => 35.186.165.146 




 SCAN RESULTS FOR HACKERTARGET.COM:443 - 35.186.165.146
 ------------------------------------------------------

 * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

 * TLSV1_1 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
     Accepted:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

 * Resumption Support:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  OK - Supported

 * TLSV1_2 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
     Accepted:
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA256                   -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_GCM_SHA384                   -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA256                   -              128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_GCM_SHA256                   -              128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 -              112 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      HTTP 200 OK                                                 

 * OpenSSL CCS Injection:
                                          OK - Not vulnerable to OpenSSL CCS injection

 * Deflate Compression:
                                          OK - Compression disabled

 * Downgrade Attacks:
       TLS_FALLBACK_SCSV:                 OK - Supported

 * TLSV1 Cipher Suites:
       Forward Secrecy                    OK - Supported
       RC4                                OK - Not Supported

     Preferred:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
     Accepted:
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-2048 bits   256 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-2048 bits   128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      HTTP 200 OK                                                 
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

 * Certificate Information:
     Content
       SHA1 Fingerprint:                  0b18dad279ffe99dcf8014cfb5cafda7aa46a2a7
       Common Name:                       hackertarget.com
       Issuer:                            Let's Encrypt Authority X3
       Serial Number:                     296389391754810880872914134959471387113275
       Not Before:                        2018-05-02 23:30:44
       Not After:                         2018-07-31 23:30:44
       Signature Algorithm:               sha256
       Public Key Algorithm:              RSA
       Key Size:                          2048
       Exponent:                          65537 (0x10001)
       DNS Subject Alternative Names:     [u'hackertarget.com', u'www.hackertarget.com']

     Trust
       Hostname Validation:               OK - Certificate matches hackertarget.com
       Android CA Store (8.1.0_r9):       OK - Certificate is trusted
       iOS CA Store (11):                 OK - Certificate is trusted
       Java CA Store (jre-10.0.1):        OK - Certificate is trusted
       macOS CA Store (High Sierra):      OK - Certificate is trusted
       Mozilla CA Store (2018-04-12):     OK - Certificate is trusted
       Windows CA Store (2018-06-02):     OK - Certificate is trusted
       Symantec 2018 Deprecation:         OK - Not a Symantec-issued certificate
       Received Chain:                    hackertarget.com --> Let's Encrypt Authority X3
       Verified Chain:                    hackertarget.com --> Let's Encrypt Authority X3 --> DST Root CA X3
       Received Chain Contains Anchor:    OK - Anchor certificate not sent
       Received Chain Order:              OK - Order is valid
       Verified Chain contains SHA1:      OK - No SHA1-signed certificate in the verified certificate chain

     Extensions
       OCSP Must-Staple:                  NOT SUPPORTED - Extension not found
       Certificate Transparency:          WARNING - Only 2 SCTs included but Google recommends 3 or more

     OCSP Stapling
       OCSP Response Status:              successful
       Validation w/ Mozilla Store:       OK - Response is trusted
       Responder Id:                      C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
       Cert Status:                       good
       Cert Serial Number:                036702987A59AEEA903CF885616C8B22773B
       This Update:                       Jun 17 00:00:00 2018 GMT
       Next Update:                       Jun 24 00:00:00 2018 GMT

 * TLSV1_3 Cipher Suites:
      Server rejected all cipher suites.

 * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

 * OpenSSL Heartbleed:
                                          OK - Not vulnerable to Heartbleed

 * ROBOT Attack:
                                          OK - Not vulnerable


 SCAN COMPLETED IN 6.17 S
 ------------------------