Threat intelligence analysis docs
SSL certificate
Analyse domain's SSL (HTTPS) certificates and test host's SSL connection and configuration.
An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. A certificate serves as an electronic "passport" that establishes an online entity's credentials. When user attempts to send confidential information to a web server, his browser accesses the server's digital certificate and establishes a secure connection. Traffic between the browser and the host is transferred in an undecipherable format that can only be decrypted with the proper key.
Read more:
Certificate details
Detailed information about the certificate. The test is tagged with a Failed if no certificates were found for the domain.
Validation type
Output
|
What it means?
|
---|---|
Extended validation | Nothing provides more trust and security than Extended Validation Certificates. They are used by most of the world's leading organizations. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation and provide a vetting process that is much stricter than for Organization validated certificates. Apart from improving trust and confidence via the strictest authentication process, EV certificates trigger a visible Green Bar on modern browsers to distinguish secure sites. It is extremely difficult to impersonate or phish an EV enabled site as even if web content could be duplicated, the Green Bar wouldn't be triggered without a trusted EV certificate. |
Organization validated | Organizational certificates are strictly authenticated by real agents against business registry databases hosted by world governments. Documents may exchange and personnel may be contacted during validation to prove the right of use. OV certificates therefore contain legitimate business information. This is the standard type of certificate required for a commercial or public facing website. OV certificates conform to the X.509 RFC standards and thus contain all the necessary information to validate the organization. |
Domain Validated |
Domain Validated certificates are X.509 digital certificates that are checked against the domain registry. Identity of the applicant has been validated by proving some control over the domain name. There is no identifying organizational information for these certificates and thus visitors cannot validate if the business on the site is legitimate. |
Serial number
Uniquely identifies the certificate within Certificate Authority (CA) systems to track revocation information.
Allowed purposes
List of the allowed purposes the certificate can be used for.
Allowed CA purposes
List of the allowed purposes the certificate can be used for when acting as a Certificate Authority.
Signature algorithm
The algorithm used to sign the public key certificate.
Public key size/type
Information regarding certificate's public key.
Certificates chain
Shows an ordered list of all the certificates in the chain, enabling the receiver to verify that the sender is trustworthy. Each certificate in the chain is signed by the entity identified by the next certificate in the chain. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.
Certificate type
|
Sample output
|
What it means?
|
---|---|---|
Server's certificate | *.google.com | The chain begins with the Server's certificate (SSL certificate). |
Intermediate certificate | Go Daddy Secure Certificate Authority - G2 | The signer/issuer of the Server's certificate. Any certificate that sits between the Server's certificate and the Root Certificate is called a chain or Intermediate Certificate. If the Intermediate Certificate is not installed on the server it may prevent some browsers, mobile devices, applications, etc. from trusting the SSL certificate. In order to make the SSL certificate compatible with all the clients, it's necessary to install the Intermediate Certificate. |
Root CA certificate | Go Daddy Root Certificate Authority - G2 | The signer/issuer of the Intermediate Certificate. The chain terminates with a Root CA Certificate. The Root CA Certificate is always signed by the CA itself. |
Issued to
Who the Server's (SSL) certificate is issued to.
Field
|
What it means?
|
---|---|
Address |
Organisation's address composed from the following certificate subject block's fields:
|
Organization | O (Organization) field of the certificate's subject block. |
Organizational Unit | OU (Organizational Unit) field of the certificate's subject block. |
Business Category | Business category. |
Organisation's email address. | |
Incorporation address | Incorporation address. |
Street | Street. |
Serial number | Certificate's serial number |
Common name | CN (Common Name) field of the certificate's subject block. If it starts with "*.", it's called a wildcard certificate, which can be used with multiple subdomains of a domain. |
Subject alternative names | Subject alternative names (SANs) are the additional, non-primary domain names secured by the SSL certificate. |
Issued by
Who the certificate was issued by.
Field
|
What it means?
|
---|---|
Address |
Organisation's address composed from the following certificate subject block's fields:
|
Organization | O (Organization) field of the certificate's subject block. |
Organizational Unit | OU (Organizational Unit) field of the certificate's subject block. |
Business Category | Business category. |
Organisation's email address. | |
Incorporation address | Incorporation address. |
Street | Street. |
Serial number | Certificate's serial number |
Common name | CN (Common Name) field of the certificate's subject block. If it starts with "*.", it's called a wildcard certificate, which can be used with multiple subdomains of a domain. |
Subject alternative names | Subject alternative names (SANs) are the additional, non-primary domain names secured by the SSL certificate. |
Certificate validity
Check the certificate's validity period.
Valid from
Check date and time since when the certificate is valid. Compare the Not valid before field with the current date and time.
Output
|
Tag
|
What it means?
|
---|---|---|
Valid from <date and time> |
OK | The certificate is valid. |
Recently obtained certificate, valid from <date and time> |
Warning | The certificate was obtained less than 30 days ago. |
Certificate's not valid yet. Valid from: <date and time> |
Failed | The certificate's 'Not valid before' is in the future. |
Valid to
Check date and time until the certificate is valid. Compare the Not valid after field with the current date and time.
Output
|
Tag
|
What it means?
|
---|---|---|
Valid until <date and time> |
OK | The certificate is valid. |
Expires soon. Valid until <date and time> |
Warning | The certificate expires in 3 days or less. Should be updated. |
Certificate expired at <date and time> |
Failed | The certificate is expired. |
CRL check
Request the CRL (Certificate revocation list) provided by the certificate's issuer and check if the SSL certificate is present there.
Output
|
Tag
|
What it means?
|
---|---|---|
No CRL endpoints available |
Skip | The CRL endpoints not found in the certificate's extensions. Test skipped. |
CRL URI: crl.godaddy.com
|
OK | The certificate's not present in the CRL provided by the certificates' issuer. |
CRL URI: crl.godaddy.com
|
Failed | The certificate is revoked. It's present in the CRL provided by the certificate's issuer. |
OCSP check
Check if the SSL certificate is revoked with the use of OCSP (Online Certificate Status Protocol).
OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to CRL (Certificate Revocation Lists), specifically addressing certain problems associated with using CRLs in a PKI (Public Key Infrastructure).
Output
|
Tag
|
What it means?
|
---|---|---|
No OCSP endpoint available | Skip | The OCSP endpoints not found in the certificate's extensions. Test skipped. |
OCSP URI: ocsp.godaddy.com
|
OK | The certificate isn't revoked. |
OCSP URI: ocsp.godaddy,com
|
Failed | The certificate is revoked. |
Hostname validation
Check if the target domain name is referenced in the SSL certificate's Common Name or Subject Alternative Names fields.
Output
|
Tag
|
What it means?
|
---|---|---|
Wildcard certificate | OK | The target domain name matches a wildcard. |
<domain name> found in Common Name | OK | The domain name matches the certificate's Common Name (CN) field. |
<domain name> found in Subject Alternative Names | OK | The domain name matches one of the certificate's Subject Alternative Names (SAN). |
<domain name> does not match the certificate | Failed | The domain name is not referenced in Common Name (CN) neither Subject Alternative Names (SAN) certificate's fields. The certificate can't be used for the target website. |
SSL vulnerabilities
Check for the common SSL certificate's and the host's SSL configuration vulnerabilities.
Self-signed certificate
Check if the certificate was issued by the target website itself and wasn't verified by a trusted Certificate Authority. While self-signed SSL certificates still encrypt connection, most web browsers display a security alert. Self-signed certificates are often used by malware or vulnerable hosts. Unlike the most CA-issued certificates, self-signed certificates are free.
Output
|
Tag
|
What it means?
|
---|---|---|
CA-signed certificate. | OK | The certificate is signed by a Certificate Authority. Issuer does not match the subject. |
Self-signed certificate. | Failed | The certificate is self-signed. Issuer matches the subject. |
Supported protocols
Check if the host supports deprecated or vulnerable SSL protocols.
Protocol
|
Recommendation |
Details
|
---|---|---|
TLS 1.0 | Update to TLS 1.2 |
TLS 1.0 is vulnerable to the BEAST and POODLE attacks. Cryptographic initialization vectors (IV's) are predictable in some implementations of the protocol. It's recommended to update to TLS 1.2. TLS 1.2 is persistent to cipher block chaining (CBC) attacks. Some browsers don't support TLS 1.0. |
TLS 1.1 | Update to TLS 1.2 |
TLS 1.1 is vulnerable to the BEAST and POODLE attacks. Cryptographic initialization vectors (IV's) are predictable in some implementations of the protocol. It's recommended to update to TLS 1.2. TLS 1.2 is persistent to cipher block chaining (CBC) attacks. Some browsers don't support TLS 1.1. |
TLS 1.2 | The latest and the most secure version of the protocol. | The latest and the most secure version of the protocol. |
SSLv2 | Should not be supported. Update to TLS 1.2 |
SSLv2 was introduced by Netscape in 1995. It's weakness was proved. Now TLS 1.2 is the latest and the most secure version of the protocol. It's recommended to disable SSLv2 connections on both client and server. |
SSLv3 | Should not be supported. Update to TLS 1.2 |
SSLv3 was introduced by Netscape in 1996. It's weakness was proved. Now TLS 1.2 is the latest and the most secure version of the protocol. It's recommended to disable SSLv3 connections on both client and server. |
Supported cipher suites
Check if the host supports suboptimal cipher suites.
Output
|
Tag
|
What it means?
|
---|---|---|
No suboptimal cipher suites found. | OK | Host does not support suboptimal cipher suites. |
Your server supports suboptimal cipher suites: <list> | Warning | It's not recommended to support suboptimal cipher suites: |
SSL compression
Check SSL connection compression methods enabled by the host.
Output
|
Tag
|
What it means?
|
---|---|---|
Disabled | OK | Configuration is correct. |
Enabled | Failed | SSL connection compression is enabled by the host. It's recommended to disable it to protect against BREACH attacks. |
HTTP Public Key Pinning Extension
Check if HPKP headers are set in the host's response.
HTTP Public Key Pinning (HPKP) is a security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or fraudulent certificates. Now the mechanism is considered to be deprecated and even insecure. It's not recommended to be used anymore
Output
|
Tag
|
What it means?
|
---|---|---|
Headers not set |
OK | Host's response does not contain HPKP headers ("Public-Keys-Pins", "Public-Keys-Pins-Report-Only") |
Headers set | Warning | Host's response contains HPKP headers. Configuration meets recommendations. |
Force HTTPS connections
Check if HSTS header is returned by the host.
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is on the IETF standards track. It's specified in RFC 6797.
Output
|
Tag
|
What it means?
|
---|---|---|
Yes | OK | HSTS header is set. HTTPs protocol is forced. Configuration meets best practises. |
No |
Warning | HSTS headers are not set. HTTPs protocol is not forced. To protect against protocol downgrade attacks and cookie hijacking it's recommended to configure HSTS headers. |
Heartbleed vulnerability check
Check if the host's OpenSSL version installed is fixed against the Heartbleed Bug. This is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing information protected, under normal conditions, by the SSL/TLS encryption.
Output
|
Tag
|
What it means?
|
---|---|---|
OK |
OK | OpenSSL installed on the host is fixed against Heartbleed vulnerability. |
The host is vulnerable. OpenSSL should be updated. | Failed | The host has the vulnerable OpenSSL version installed. Should be updated. |
TLS_FALLBACK_SCSV supported
Check if TLS_FALLBACK_SCSV is supported by the host - to protect against POODLE attacks.
TLS_FALLBACK_SCSV is recommended for a client to indicate that it is knowingly repeating a SSL/TLS connection attempt over a lower protocol version it supports because the last one has failed for some reason. When the server sees a TLS_FALLBACK_SCSV signal it compares the highest protocol version it supports to the version indicated in the Client Hello. If the client's version is lower, the server responds with a new Alert defined by the RFC as inappropriate_fallback. The idea is that the server knows the client supports something better so the connection should have negotiated that. The inappropriate_fallback Alert is a “fatal” error, i.e. the SSL/TLS connection is aborted.
Output
|
Tag
|
What it means?
|
---|---|---|
Yes |
OK | TLS_FALLBACK_SCSV is supported by the host. Configuration meets recommendations. |
Only 1 protocol supported | Warning | The server supports only 1 protocol. Fallback isn't possible. |
No |
Failed | It's recommended to enable TLS_FALLBACK_SCSV to protect against POODLE attacks. |
TLSA DNS record configuration
Check if the TLSA record is correctly configured for the domain name.
This is a part of DNS-based authentication of named entities: RFC 6698. DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).
Output
|
Tag
|
What it means?
|
---|---|---|
OK. <TLSA record details> | OK | TLSA record is correctly configured. |
Not configured. |
Warning | TLSA record is not configured for the domain name. |
Configuration issue. <TLSA record details> |
Warning | TLSA record has configuration issues. |
Debian blacklist check
Check if the certificate's public key is present in the Debian blacklist.
Output
|
Tag
|
What it means?
|
---|---|---|
OK | OK | The certificate's public key is not present in the Debian blacklist. |
The certificate's public key is present in the Debian blacklist. | Failed | The certificate's public key is present in the Debian blacklist. |
OCSP stapling enabled
Check if OCSP Stapling is enabled, analyse it's response in order to check the SSL certificate's validity.
The Online Certificate Status Protocol (OCSP) is used for obtaining the revocation status of an X.509 digital certificate. It's on the Internet standards track: RFC 6960. It was created as an alternative to Certificate Revocation Lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP.
Output
|
Tag
|
What it means?
|
---|---|---|
No |
Warning | Host doesn't support OCSP stapling. |
Certificate status: ok Last update: 15 September 2017 Next update: 16 September 2017 Hash algorithm: sha1 Signature Algorithm: sha1withRSAEncryption Issuer name hash: hash |
OK | Host supports OCSP stapling. |
Have questions?
We work hard to improve our services for you. As part of that, we welcome your feedback, questions and suggestions. Please let us know your thoughts and feelings, and any way in which you think we can improve our product.
For a quick response, please select the request type that best suits your needs.
Threat Intelligence Platform uses cookies to provide you with the best user experience on our website. They also help us understand how our site is being used. Find out more here. By continuing to use our site you consent to the use of cookies.