SSL/TLS security testing
Did you ever think why some websites use
http:// and some use
https:// in the URL address?
For example, why websites like Amazon and Facebook have addresses https://www.amazon.in/ and https://www.facebook.com instead of http://www.amazon.in and http://www.facebook.com?
How does a single ‘s‘ makes the difference? If you are a security researcher, you must be already knowing the difference of HTTP from HTTPS. But why is it necessary and how does it help the users of a web application to do transactions and other communications securely? So we will look all about it in this blog post.
Let’ solve this mystery
HTTP stands for
HyperText Transfer Protocol whereas HTTPS stands for
HyperText Transfer Protocol Secure. The ‘s’ stands for the secured part. Now how do we get HTTPS from HTTP?
Here is a simple equation:
HTTP + SSL = HTTPS
Cool, a new term SSL? Where did that come from dude?
HTTP is a communication protocol but the communication is not secure because the data sent through it is in plain text.That means if you are trying to login to a webpage which follows HTTP protocol, it will be easy for the attackers to just learn the credentials by eavesdropping on the data and the user won’t even know about it. These attacks are called Man in the Middle attacks(MITM). To learn more about MITM, see this page.
To prevent this, HTTP communications were done within a connection encrypted by Secure Sockets Layer(SSL). It provides bidirectional encryption of communications between a client and server, which protect against eavesdropping and tampering with the contents of the communication.
This all comes to the conclusion that SSL or it’s more recent version TLS are cryptographic tools that provide security to communications.
Why is it necessary to test for SSL/TLS?
As a company who has their main business on a web application, you should take appropriate steps so that each page on all the domains follow the HTTPS protocol to prevent the violation of user’s privacy and integrity of data. Even one communication which isn’t secure enough can lead to Man in the Middle attacks.
Also, there is a security difference between SSL and TLS. TLS is the upgrade version of SSL. SSL 3.0 was vulnerable to the Poodle attackand other vulnerabilities, and that’s why TLS was developed. So during the testing, it’s necessary to determine if any of the services on the application are still using SSL. To learn more about Poodle attacks see
Ok, I get all the theoretical details but how do I test it?
There are different tools and scripts available for SSL Testing. Some of them give you a plethora of details from the SSL version used to the vulnerabilities they might be responsible to also about the different encryption mechanism used.
We will go through it one by one.
- Nmap scan for SSL RecognitionThe “
-sV” scan option in the Nmap scanner is able to identify SSL services. For example, a command like this will return the services which are using SSL:
nmap -F -sV www.targetwebsite.com
This will help you recognize the different services so that you can then try checking the obtained ports and services for the SSL version and whether they are vulnerable to any SSL attacks.
- Nmap scan for SSL RecognitionThe “
- Use of vulnerability scannersVulnerability scanners like Nessus and Burpsuite Pro also include checks against weak ciphers. They will report that a weak cipher is being used by scanning SSL on different ports and services. These tools are quite useful so do give them a try. Nessus has a trial period for its free scanning while Burpsuite’s free version doesn’t support scanning.
We will suggest some better methods. Just keep reading.:)
The above two methods are good but when you need to specifically test for SSL, there are two more methods which we preferably use to scan all services at once.
- Method 1:Download and run the testssl.sh script file using the below command.
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Look at this Github page for the command and instructions.
After downloading, you will find a script file named testssl.sh inside it.
Just run the below commands from the directory where you have downloaded testssl to do SSL testing using this script.
First, make the script executable by
chmod +x testssl.sh
After that run the script on the target.
The above command is the default option which gives all the information but there are a lot more specific options which you can see on this page here.
This is one of the best tools at your hand completely free and trustworthy. Remember to check it out.
- Method 2:Method 1 was simple and easy. But there is another method which is even easier than this. People at ssllabs have made a website in which you just need to enter the hostname and it will give the whole ssl testing details.
Here is a screenshot for the interface
This also gives almost the same details as the above one and gives an overall rating to your application’s SSL security. It is quite hassle-free and simple. Give it a try, it’s worth it.
- Websites nowadays shouldn’t use SSL or even TLS version 1.0. The best approach will be to use more recent versions like 1.1 or 1.2. The above methods will tell you about the version of SSL as well as about the ciphers the encryption method is using.
- Also, keep in mind that as a user you are using the latest release of your browser. Do remember to update it as soon as the latest version releases. Browsers such as Chrome and Firefox have inbuilt preventive measures against insecure websites and will remind you if you are visiting one of them because sharing details like Credit card numbers and passwords on that website can be sniffed using Man in the Middle attacks.
To read about more methods and testing for different ssl-tls criteria see this page from OWASP.
In case you are having troubles with any setup or aren’t able to understand something, feel free to comment below and someone will reply to you as soon we can.
Till then Keep learning and Keep Hacking.:)