Menu
I'm wondering if anyone knows of a demo site which shows different cases where HTTPS is misconfigured or broken. Or does anyone know of a website in the wild that deliberately displays various broken / misconfigured HTTPS cases? ... If not, how about ideas on how to track them down with a search engine? I'm looking for sites which exhibit broken https behaviors, for example:
I'm looking to find a comprehensive list of the various ways that HTTPS can be misconfigured, and ideally perhaps live examples that I can use to hone a tool to crawl a page and tell you if it's going to produce any browser security errors. (As far as I know there is no such tool, short of a human operating a browser, anyone know of one?)
685
When using an expired certificate, you risk your encryption and mutual authentication. As a result, both your website and users are susceptible to attacks and viruses. For example, a hacker can take advantage of a website with an expired SSL certificate and create a fake website identical to it.
An SSL certificate error occurs when a web browser can't verify the SSL certificate installed on a site. Rather than connect users to your website, the browser will display an error message, warning users that the site may be insecure.
Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.
Revisiting this. Here's a great online tool recently built: https://www.ssllabs.com/ssldb/analyze.html
e.g. Paypal: https://www.ssllabs.com/ssldb/analyze.html?d=https://paypal.com
There are more details when you drill into a specific server.
When this question was asked I remember I was looking for resources I could use to build a tool that would automatically check if ssl was configured "properly" for a given site; at least that a given site was not going to display various ssl errors in various browsers. There are however many types of ssl/tls "misconfiguration" and many browsers handle the cases differently. Anticipating 100% if a browser is going to display any messaging at all or any given messaging about encryption is quite challenging as it turns out.
But this is a good manual tool. What would be great is an open source command line tool that has this level of summary, for plugging into deploy tests or monitoring.
171
For those interested to know more about ssl under the covers, this page is very well worth a read http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
