Check SSL/TLS services for vulnerabilities and weak ciphers with this online SSL Scan. Makes use of the excellent sslyze and OpenSSL to gather the certificate details and measure security of the SSL/TLS implementation.
Identifying known vulnerabilities and cryptographic weakness with certain SSL/TLS implementations such as SSLv2 and weak ciphers is an important part of the vulnerability assessment process. This hosted service enables a server to be easily tested for known security problems with the configuration, whether you are testing one server or a network.
Free SSL / TLS Scan to check the ciphers in use, certificate validity and configuration errors.
Test any SSL/TLS based services (https
/ smtps
/ pop3s
/ ftps
) to gain immediate insight into the hosts security posture. With a membership test services in bulk with SSLyze for all known vulnerabilities.
- Certificate Informaiton
- Valid & Trusted Cert Check
- Identify SSL/TLS protocols in use
- Enumerate Ciphers
Membership Benefits
Tap into the potential for advanced exploitation or vulnerability assessment of web servers and websites with exclusive access.
Cryptographic weakness
Discover known cryptographic weakness in TLS/SSL services
Certificate details
Analyze SSL/TLS and Retrieve Certificate Info.
SSL / TLS vulnerabilities
Identify known SSL / TLS vulnerabilities.
OSINT
Access to 27 Vulnerability Scanners and OSINT Tools
Configuration errors
Test for SSL/TLS configuration errors
Open Source Tools
Trusted Open Source Tools
About the Online SSL Scan and Certificate Check
SSL (and TLS) provide an encrypted communication layer over the network between a client and a service. The most commonly thought of service is web browsers connecting to a web server with HTTPS, but can also be Email (SMTP
/ POP
) or any other TCP
protocol. A large number of vulnerabilities have been discovered in different implementations of these encrypted protocols. An example is SSLv2
that has known vulnerabilities and it should not be used. PCI compliance requires that SSLv2 (and SSLv3) not be used with newer and more secure TLSv1.2 and TLSv1.3 protocols now the standard.
As mentioned, SSL/TLS can be used for any TCP
based service such as FTP
, NNTP
, SMTP
or even Virtual Private Networks (VPN). For general computer users awareness has increased so they might check for the "padlock" in the browser status bar when browsing secure sites such as Internet banking and email. However, many users will not be stopped by certificate warnings in the browser and will simply click past the warning. For this reason popular browsers such as Firefox and Chrome have made it more difficult to bypass SSL/TLS browser warnings.
"The primary benefit of transport layer security is the protection of web application data from unauthorized disclosure and modification when it is transmitted between clients (web browsers) and the web application server, and between the web application server and back end and other non-browser based enterprise components."
- OWASP Transport Layer Protection Cheat Sheet
Using the open source tool sslyze
, this online SSL scan will test SSL/TLS enabled IP or web address and gather details of the certificate that is being used. You can use the sslyze
option to test any SSL/TLS enabled service on any port. Weak ciphers and known cryptographic vulnerabilities such as the famous Heartbleed are all tested. As are other SSL/TLS attacks from recent years including BEAST, CRIME, BREACH, DROWN, FREAK and POODLE. Recent vulnerability releases have taken vulnerability marketing to the next level with dedicated websites, logo's and press releases.
Other TLS/SSL testing tools include:
Nmap NSE scripts (ssl-enum-cipers, ssl-cert)
TestSSL.sh is a free tool that uses only bash
and the install SSL/TLS libraries (testssl.sh)
OpenVAS (GVM) comes with a full set of vulnerability tests for SSL/TLS (OpenVAS)
Common SSL/TLS Vulnerabilities and Attacks
A non-exhaustive list of attacks and flaws within the SSL/TLS protocol.
BEAST | CRIME | TIME | BREACH | Lucky 13 | POODLE | FREAK | Logjam | DROWN | SLOTH | Sweet32 | Bleichenbacher Padding Oracle | HEIST | HEARTBLEED | ROBOT | RC4
BEAST | Browser Exploit Against SSL/TLS
Presented in September 2011 by researchers Juliano Rizzo and Thai Duong. Browser Exploit Against SSL/TLS' aka BEAST. These are the security researchers who then went on to present the 2012 CRIME attack.
Using a MITM attack which includes a JavaScript or applet injecton into the same origin of the website, the attacker leverages IV = Initialization Vector weaknesses in CBC (cipher block chaining) in older versions of TLS/SSL - these being TLS v1.0, SSL v3.0 and lower.
The attacker can retrieve small data fragments passing between the server and client which could contain HTTP session cookies, authentication details and other sensitive information.
On its release the recommended mitigation was to use RC4 ciphers. Following this RC4 was shown to have many weaknesses itself resulting in it being a larger security risk than the original BEAST. Most browsers implemented a 1/n-1 split which stops the attacker from predicting IV's.
In 2013 SSL labs changed their rating for BEAST. They now consider the attack sufficiently mitigated client-side.
Paper presented by Duong and Rizzo - Here come the Ninjas
CRIME | Compression Ratio Info-leak Made Easy
From the same researchers that bought us BEAST. In 2012 came 'Compression Ratio Info-leak Made Easy' aka CRIME. CRIME attacked the secrets held in the HTTP request headers. HTTP headers contain sensitive data such as authentication cookies.
For CRIME to work 3 elements must come together. 1. Compression: it requires Deflate / GZIP compression in particular Lz77 - this is the bit that allows this attack to work. 2. MITM attack. 3. A browser.
SSL and SPDY had an option to compress headers. CRIME issues requests for the secret with every possible character and measures the ciphertext length on each returning result. An important point to remember about SSL is that it does not hide the length of the underlying plain-text.
Mitigation: Turn off TLS/SSL compression. (Side-note: SPDY was deprecated in 2015 and has been replaced with HTTP/2)
slideshow by Juliano Rizzo and Thai Duong.
FREAK | Factoring Attack on RSA-EXPORT Keys
Factoring Attack on RSA-EXPORT Keys aka FREAK. A vulnerability that exploited 512 bit RSA-export keys to break TLS. In the 1990s RSA encryption keys were restricted to a maximum of 512 bits.
In 2015 the FREAK researchers realised these 512 bit RSA-export keys were still around and that any web server (Apache, IIS, nginx, etc.) may be vulnerable to a MITM attack if its configuration allows the use of these.
BREACH | Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext
Announced in 2013 at Black Hat by Gluck, Harris and Prado. Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext aka Breach is based off of CRIME. This is a compression side-channel based attack requiring MITM.
Breach attacks the secrets held in the HTTP response body. The original CRIME guys mentioned this could be possible (remember CRIME attacks secrets in the http request headers) in their original research.
For BREACH to work it requires the following;
- HTTP Compression such as GZIP.
- A MITM attack which needs a secret in the response body such as a CSRF token. The CSRF token is used to impersonate victim client to victim server. Note the MITM attack does not downgrade you to a lower cipher suite.
- A stable website, one that does not change much between requests, helps but is not essential. With stable pages the attack can take place in under 30 seconds.
Breach works against any cipher suite, any version of TLS/SSL and does not require TLS compression.
Mitigations from Angelo Prado, Neal Harris and Yoel Gluck breachattack.com
Black Hat 2013 POC SSL gone in 30 seconds. A BREACH beyond CRIME
HEIST | HTTP Encrypted Information can be Stolen through TCP-windows
In 2016 developers Mathy Vanhoef and Tom Van Goethem demonstrated at Black Hat 'HTTP Encrypted Information can be Stolen through TCP-windows'aka HEIST.
HEIST works by exploiting the way HTTPS responses are delivered over TCP and does not require a MITM attack. All is takes is a JavaScript file hidden in a web advert or hosted directly on a webpage that measures the exact size of the encrypted files that are being transmitted to users' browsers. Using this technique BREACH and CRIME can be performed directly in the browser with no network access.
HEIST works with both HTTP/1 and the new HTTP/2 protocols. HTTP/2 actually making it easier due to the increase in speed. It does not break the SSL/TLS encryption - it leaks the data exchanged through a compression attack.
Black Hat Briefing, slideshow and presentation.
POODLE | Padding Oracle On Downgraded Legacy Encryption
2014 Security researchers Bodo Moller, Thai Duong and Krysztof Kotowicz published 'Padding Oracle On Downgraded Legacy Encryption' aka POODLE.
SSLv3 flaw relating to how padding is handled within the use of CBC mode. The flaw which includes insecure downgrading makes SSLv3 vulnerable to MITM attacks in which an attacker can gain access to authentication details such as passwords and cookies. SSLv3 is an obsolete protocol but it can still be around for legacy reasons.
Mitigation: Disable SSLv3. IETF releases RFC 7568 June 2015 Deprecating SSL V3.0.
This Poodle bites | Stackexchange: SSL3 “POODLE” Vulnerability
POODLE white paper (PDF):DROWN | Decrypting RSA with Obsolete and Weakened eNcryption
In 2016 a group of researchers presented 'Decrypting RSA with Obsolete and Weakened eNcryption' aka DROWN.
A new form of the Bleichenbacher RSA padding oracle attack. Can affect all servers offering TLS but still supporting SSLv2. It allows an MITM attack to decrypt or steal data such as passwords, credit card numbers etc. Traffic between clients and non-vulnerable servers can be decrypted if one supports a vulnerable protocol or shares a private key with a server that allows SSLv2.
During their research the DROWN researchers discovered a vulnerability specific to servers using Openssl versions earlier than March 2015, OpenSSL 1.0.2 or OpenSSL 1.0.1l were especially vulnerable and should be upgraded immediately. OpenSSL User’s Guide to DROWN
Mitigation: Disable SSLv2 and remove support for obsolete protocols and ciphers.
Bleichenbacher Padding Oracle Attack
On original release in 1998 it was known as The Bleichenbacher Million Message Attack.
Padding oracle attack on PKCS#1 v1.5 which was the RSA padding standard used in SSL and TLS. Daniel Bleichenbacher applied his attack against SSL V3.0 protocol recovering encrypted messages from between 300 thousand - 2 million ciphertexts.
Actually quite infeasible to work in the wild due to the hundreds of thousands connections to the victim required. Which is where the DROWN guys were able to make a difference with their research. They were able to execute an attack in a few hours with little more than $400 and a cloud hosting service.
LOGJAM
2015 attack against weak Diffie-Hellman Cipher Suites - 512 bit export cipher. The MITM gets between the client and the server. The attacker tells the server to use the weaker DH 512 bit export cipher, and the server responds 'ok, lets do that.' Even though modern browsers do not support export cipher suites, the attacker can trick the browser into using them. The the TLS connection can be then be decrypted.
Mitigation: Disable cipher suits the use the Diffie-Hellman key exchange and deploy ECDHE.
Weak Diffie-Hellman and the Logjam Attack | Technical details logjam mitls
TIME | Timing info-leak made easy
2013 CBC mode encryption in TLS was able to be enhanced with a BEAST-style attack to allow recovery of HTTP cookies.
Mitigation: At the time of release it was suggested to switching to RC4 - this quickly turned not to be a viable option as RC4 came with its own array of weaknesses. So much so the IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.
"Lucky thirteen: breaking the TLS and DTLS record protocols"
SLOTH | Security Losses from Obsolete and Truncated Transcript Hashes
2016 by researchers Karthikeyan Bhargavan and Gaetan Leurent released information on 'Security Losses from Obsolete and Truncated Transcript Hashes' SLOTH.
Exploits clients and servers signing with RSA-MD5 signatures - weak hash functions in mainstream protocols. MITM can attack with a Transcript collision attack against TLS 1.2 and other protocols.
MiTLS research | Technical paper (PDF): Transcript Collision Attacks:Breaking Authentication in TLS, IKE, and SSH
Sweet 32
In 2016 Security Researchers Karthikeyan Bhargavan and Gaetan Leurent demonstrated a MITM birthday attack against block ciphers that use 64-bit encryption blocks such as 3DES and Blowfish. They were able to recover secure HTTP cookies using javascript to generate traffic.
sweet32.info | Technical paper (PDF): On the Practical (In-)Security of 64-bit Block Ciphers
HeartBleed
In 2014 possibly the biggest Internet vulnerability in recent history was a vulnerability in OpenSSL. More specifically it is an extension to the OpenSSL TLS protocol called 'HeartBeat'. This extension allowed you to keep a TLS session running even though no data had gone through in a while. This is called a HeartBeat request.
This Heartbeat extension allowed attackers to read portions of the target servers memory up to 64kb with no limit to the number of attacks, potentially revealing sensitive data directly from the server memory, leaving no trace.
The attacker can send 1kb of data to the server but say its actually 64kb. The server replies with 64kb of data, including the original 1kb and 63kb of sensitive data from memory.
The attacker can use the metasploit module on kali linux to target a website.
ROBOT | Return of Bleichenbacher oracle Threat attack
2017 bought us 'The Return of Bleichenbacher oracle Threat attack' aka ROBOT.
ROBOT takes advantage of the old vulnerability from 1998 which was used in the 2016 SSL2.0 DROWN attack. ROBOT only affects TLS cipher modes that use RCA encryption. Most recent versions of browsers prioritise ECDHE.
RC4
Use of RC4, being a Stream Cipher, was for a short while the only way to mitigate both the BEAST and Lucky 13 attacks.
IETF published RFC 7465 prohibiting the use of RC4 in TLS. If the TLS client only offers RC4 cipher suits the TLS server MUST terminate the handshake.
Sample SSLyze Results
The following output shows the results from the sslyze
tool against the hackertarget.com domain.
As you can see a number of different tests are performed against the service to check for common SSL vulnerabilities.
CHECKING HOST(S) AVAILABILITY ----------------------------- hackertarget.com:443 => 35.186.165.146 SCAN RESULTS FOR HACKERTARGET.COM:443 - 35.186.165.146 ------------------------------------------------------ * SSLV2 Cipher Suites: Server rejected all cipher suites. * TLSV1_1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK * Resumption Support: With Session IDs: OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts). With TLS Tickets: OK - Supported * TLSV1_2 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-2048 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK * OpenSSL CCS Injection: OK - Not vulnerable to OpenSSL CCS injection * Deflate Compression: OK - Compression disabled * Downgrade Attacks: TLS_FALLBACK_SCSV: OK - Supported * TLSV1 Cipher Suites: Forward Secrecy OK - Supported RC4 OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK Accepted: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-2048 bits 256 bits HTTP 200 OK TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits HTTP 200 OK TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-2048 bits 128 bits HTTP 200 OK TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits HTTP 200 OK TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits HTTP 200 OK TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-2048 bits 112 bits HTTP 200 OK TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits HTTP 200 OK * Certificate Information: Content SHA1 Fingerprint: 0b18dad279ffe99dcf8014cfb5cafda7aa46a2a7 Common Name: hackertarget.com Issuer: Let's Encrypt Authority X3 Serial Number: 296389391754810880872914134959471387113275 Not Before: 2018-05-02 23:30:44 Not After: 2018-07-31 23:30:44 Signature Algorithm: sha256 Public Key Algorithm: RSA Key Size: 2048 Exponent: 65537 (0x10001) DNS Subject Alternative Names: [u'hackertarget.com', u'www.hackertarget.com'] Trust Hostname Validation: OK - Certificate matches hackertarget.com Android CA Store (8.1.0_r9): OK - Certificate is trusted iOS CA Store (11): OK - Certificate is trusted Java CA Store (jre-10.0.1): OK - Certificate is trusted macOS CA Store (High Sierra): OK - Certificate is trusted Mozilla CA Store (2018-04-12): OK - Certificate is trusted Windows CA Store (2018-06-02): OK - Certificate is trusted Symantec 2018 Deprecation: OK - Not a Symantec-issued certificate Received Chain: hackertarget.com --> Let's Encrypt Authority X3 Verified Chain: hackertarget.com --> Let's Encrypt Authority X3 --> DST Root CA X3 Received Chain Contains Anchor: OK - Anchor certificate not sent Received Chain Order: OK - Order is valid Verified Chain contains SHA1: OK - No SHA1-signed certificate in the verified certificate chain Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: WARNING - Only 2 SCTs included but Google recommends 3 or more OCSP Stapling OCSP Response Status: successful Validation w/ Mozilla Store: OK - Response is trusted Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Cert Status: good Cert Serial Number: 036702987A59AEEA903CF885616C8B22773B This Update: Jun 17 00:00:00 2018 GMT Next Update: Jun 24 00:00:00 2018 GMT * TLSV1_3 Cipher Suites: Server rejected all cipher suites. * SSLV3 Cipher Suites: Server rejected all cipher suites. * OpenSSL Heartbleed: OK - Not vulnerable to Heartbleed * ROBOT Attack: OK - Not vulnerable SCAN COMPLETED IN 6.17 S ------------------------