Threat intelligence API Docs Pricing Blog Contact us

Threat intelligence analysis docs

SSL certificate

Analyse domain's SSL (HTTPS) certificates and test host's SSL connection and configuration.

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates the identity of a website and encrypts information sent to the server using SSL technology. A certificate serves as an electronic "passport" that establishes an online entity's credentials. When user attempts to send confidential information to a web server, his browser accesses the server's digital certificate and establishes a secure connection. Traffic between the browser and the host is transferred in an undecipherable format that can only be decrypted with the proper key.

Read more:

Certificates chain

Type: Info

Shows an ordered list of all the certificates in the chain, enabling the receiver to verify that the sender is trustworthy. Each certificate in the chain is signed by the entity identified by the next certificate in the chain. The signatures of all certificates in the chain must be verified up to the Root CA Certificate.

Certificate type
Sample output
What it means?
Server's certificate *.google.com The chain begins with the Server's certificate (SSL certificate).
Intermediate certificate Go Daddy Secure Certificate Authority - G2

The signer/issuer of the Server's certificate.

Any certificate that sits between the Server's certificate and the Root Certificate is called a chain or Intermediate Certificate.

If the Intermediate Certificate is not installed on the server it may prevent some browsers, mobile devices, applications, etc. from trusting the SSL certificate.

In order to make the SSL certificate compatible with all the clients, it's necessary to install the Intermediate Certificate.

Root CA certificate Go Daddy Root Certificate Authority - G2

The signer/issuer of the Intermediate Certificate.

The chain terminates with a Root CA Certificate. The Root CA Certificate is always signed by the CA itself.

Issued to

Type: Info

Who the Server's (SSL) certificate is issued to.

Field
What it means?
Address

Organisation's address composed from the following certificate subject block's fields:

  • Locality/City (L)
  • State/Province (S)
  • Country (C)
  • Street address
  • Postal code
Organization O (Organization) field of the certificate's subject block.
Organizational Unit OU (Organizational Unit) field of the certificate's subject block.
Business Category Business category.
Mail Organisation's email address.
Incorporation address Incorporation address.
Street Street.
Serial number Certificate's serial number
Common name CN (Common Name) field of the certificate's subject block. If it starts with "*.", it's called a wildcard certificate, which can be used with multiple subdomains of a domain.
Subject alternative names Subject alternative names (SANs) are the additional, non-primary domain names secured by the SSL certificate.

Issued by

Type: Info

Who the certificate was issued by.

Field
What it means?
Address

Organisation's address composed from the following certificate subject block's fields:

  • Locality/City (L)
  • State/Province (S)
  • Country (C)
  • Street address
  • Postal code
Organization O (Organization) field of the certificate's subject block.
Organizational Unit OU (Organizational Unit) field of the certificate's subject block.
Business Category Business category.
Mail Organisation's email address.
Incorporation address Incorporation address.
Street Street.
Serial number Certificate's serial number
Common name CN (Common Name) field of the certificate's subject block. If it starts with "*.", it's called a wildcard certificate, which can be used with multiple subdomains of a domain.
Subject alternative names Subject alternative names (SANs) are the additional, non-primary domain names secured by the SSL certificate.

Certificate details

Type: Info

Detailed information about the certificate.

Validation type

Output
What it means?
Extended validation

Nothing provides more trust and security than Extended Validation Certificates. They are used by most of the world's leading organizations. The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation and provide a vetting process that is much stricter than for Organization validated certificates. Apart from improving trust and confidence via the strictest authentication process, EV certificates trigger a visible Green Bar on modern browsers to distinguish secure sites. It is extremely difficult to impersonate or phish an EV enabled site as even if web content could be duplicated, the Green Bar wouldn't be triggered without a trusted EV certificate.

Organization validated

Organizational certificates are strictly authenticated by real agents against business registry databases hosted by world governments. Documents may exchange and personnel may be contacted during validation to prove the right of use. OV certificates therefore contain legitimate business information. This is the standard type of certificate required for a commercial or public facing website. OV certificates conform to the X.509 RFC standards and thus contain all the necessary information to validate the organization.

Domain Validated

Domain Validated certificates are X.509 digital certificates that are checked against the domain registry. Identity of the applicant has been validated by proving some control over the domain name. There is no identifying organizational information for these certificates and thus visitors cannot validate if the business on the site is legitimate.

Serial number

Uniquely identifies the certificate within Certificate Authority (CA) systems to track revocation information.

Allowed purposes

List of the allowed purposes the certificate can be used for.

Allowed CA purposes

List of the allowed purposes the certificate can be used for when acting as a Certificate Authority.

Signature algorithm

The algorithm used to sign the public key certificate.

Public key size/type

Information regarding certificate's public key.

Certificate validity

Type: Analysis

Check the certificate's validity period.

Valid from

Check date and time since when the certificate is valid. Compare the Not valid before field with the current date and time.

Output
Tag
What it means?

Valid from <date and time>

OK

The certificate is valid.

Recently obtained certificate, valid from <date and time>

Warning The certificate was obtained less than 3 days ago.

Certificate's not valid yet. Valid from: <date and time>

Failed The certificate's 'Not valid before' is in the future.

Valid to

Check date and time until the certificate is valid. Compare the Not valid after field with the current date and time.

Output
Tag
What it means?

Valid until <date and time>

OK

The certificate is valid.

Expires soon. Valid until <date and time>

Warning The certificate expires in 3 days or less. Should be updated.

Certificate expired at <date and time>

Failed The certificate is expired.

CRL check

Request the CRL (Certificate revocation list) provided by the certificate's issuer and check if the SSL certificate is present there.

Output
Tag
What it means?

No CRL endpoints available

Skip

The CRL endpoints not found in the certificate's extensions. Test skipped.

CRL URI: crl.godaddy.com

  • Status: ok
  • Last update: 12 September 2017
  • Next update: 15 September 2017
OK The certificate's not present in the CRL provided by the certificates' issuer.

CRL URI: crl.godaddy.com

  • Status: revoked
  • Last update: 12 September 2017
  • Next update: 15 September 2017
Failed The certificate is revoked. It's present in the CRL provided by the certificate's issuer.

OCSP check

Check if the SSL certificate is revoked with the use of OCSP (Online Certificate Status Protocol).

OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to CRL (Certificate Revocation Lists), specifically addressing certain problems associated with using CRLs in a PKI (Public Key Infrastructure).

Output
Tag
What it means?
No OCSP endpoint available Skip The OCSP endpoints not found in the certificate's extensions. Test skipped.

OCSP URI: ocsp.godaddy.com

  • Status: good
  • Last update: 12 September 2017
  • Next update: 15 September 2017
OK

The certificate isn't revoked.

OCSP URI: ocsp.godaddy,com

  • Status: revoked
  • Last update: 12 September 2017
  • Next update: 15 September 2017
Failed The certificate is revoked.

Hostname validation

Check if the target domain name is referenced in the SSL certificate's Common Name or Subject Alternative Names fields.

Output
Tag
What it means?
Wildcard certificate OK

The target domain name matches a wildcard.

<domain name> found in Common Name OK The domain name matches the certificate's Common Name (CN) field.
<domain name> found in Subject Alternative Names OK The domain name matches one of the certificate's Subject Alternative Names (SAN).
<domain name> does not match the certificate Failed The domain name is not referenced in Common Name (CN) neither Subject Alternative Names (SAN) certificate's fields. The certificate can't be used for the target website.

SSL vulnerabilities

Type: Analysis

Check for the common SSL certificate's and the host's SSL configuration vulnerabilities.

Self-signed certificate

Check if the certificate was issued by the target website itself and wasn't verified by a trusted Certificate Authority. While self-signed SSL certificates still encrypt connection, most web browsers display a security alert. Self-signed certificates are often used by malware or vulnerable hosts. Unlike the most CA-issued certificates, self-signed certificates are free.

Output
Tag
What it means?
CA-signed certificate. OK The certificate is signed by a Certificate Authority. Issuer does not match the subject.
Self-signed certificate. Failed The certificate is self-signed. Issuer matches the subject.

Supported protocols

Check if the host supports deprecated or vulnerable SSL protocols.

Protocol
Recommendation
Details
TLS 1.0 Update to TLS 1.2

TLS 1.0 is vulnerable to the BEAST and POODLE attacks. Cryptographic initialization vectors (IV's) are predictable in some implementations of the protocol.

It's recommended to update to TLS 1.2. TLS 1.2 is persistent to cipher block chaining (CBC) attacks.

Some browsers don't support TLS 1.0.

TLS 1.1 Update to TLS 1.2

TLS 1.1 is vulnerable to the BEAST and POODLE attacks. Cryptographic initialization vectors (IV's) are predictable in some implementations of the protocol.

It's recommended to update to TLS 1.2. TLS 1.2 is persistent to cipher block chaining (CBC) attacks.

Some browsers don't support TLS 1.1.

TLS 1.2 The latest and the most secure version of the protocol.

The latest and the most secure version of the protocol.

SSLv2 Should not be supported. Update to TLS 1.2

SSLv2 was introduced by Netscape in 1995. It's weakness was proved.

Now TLS 1.2 is the latest and the most secure version of the protocol.

It's recommended to disable SSLv2 connections on both client and server.

SSLv3 Should not be supported. Update to TLS 1.2

SSLv3 was introduced by Netscape in 1996. It's weakness was proved.

Now TLS 1.2 is the latest and the most secure version of the protocol.

It's recommended to disable SSLv3 connections on both client and server.

Supported cipher suites

Check if the host supports suboptimal cipher suites.

Output
Tag
What it means?
No suboptimal cipher suites found. OK Host does not support suboptimal cipher suites.
Your server supports suboptimal cipher suites: <list> Warning

It's not recommended to support suboptimal cipher suites:

SSL compression

Check SSL connection compression methods enabled by the host.

Output
Tag
What it means?
Disabled OK Configuration is correct.
Enabled Failed SSL connection compression is enabled by the host. It's recommended to disable it to protect against BREACH attacks.

HTTP Public Key Pinning Extension

Check if HPKP headers are set in the host's response.

HTTP Public Key Pinning (HPKP) is a security mechanism delivered via an HTTP header which allows HTTPS websites to resist impersonation by attackers using mis-issued or fraudulent certificates. In order to do so, it delivers to the client (browser) a set of public keys, which should be the only ones trusted for connections to this domain.

Output
Tag
What it means?
Headers set OK Host's response contains HPKP headers. Configuration meets recommendations.

Headers not set

Warning Host's response does not contain HPKP headers ("Public-Keys-Pins", "Public-Keys-Pins-Report-Only"). It's recommended to configure this.

Force HTTPS connections

Check if HSTS header is returned by the host.

HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is on the IETF standards track. It's specified in RFC 6797.

Output
Tag
What it means?
Yes OK HSTS header is set. HTTPs protocol is forced. Configuration meets best practises.

No

Warning HSTS headers are not set. HTTPs protocol is not forced. To protect against protocol downgrade attacks and cookie hijacking it's recommended to configure HSTS headers.

Heartbeat extension

Check if the heartbeat extension is enabled on the host: RFC 6520.

Output
Tag
What it means?
Enabled OK Host configuration meets best practises.

Disabled

Warning It's recommended to enable the heartbeat extension.

Heartbleed vulnerability check

Check if the host's OpenSSL version installed is fixed against the Heartbleed Bug. This is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing information protected, under normal conditions, by the SSL/TLS encryption.

Output
Tag
What it means?

OK

OK OpenSSL installed on the host is fixed against Heartbleed vulnerability.
The host is vulnerable. OpenSSL should be updated. Failed The host has the vulnerable OpenSSL version installed. Should be updated.

TLS_FALLBACK_SCSV supported

Check if TLS_FALLBACK_SCSV is supported by the host - to protect against POODLE attacks.

TLS_FALLBACK_SCSV is recommended for a client to indicate that it is knowingly repeating a SSL/TLS connection attempt over a lower protocol version it supports because the last one has failed for some reason. When the server sees a TLS_FALLBACK_SCSV signal it compares the highest protocol version it supports to the version indicated in the Client Hello. If the client's version is lower, the server responds with a new Alert defined by the RFC as inappropriate_fallback. The idea is that the server knows the client supports something better so the connection should have negotiated that. The inappropriate_fallback Alert is a “fatal” error, i.e. the SSL/TLS connection is aborted.

Output
Tag
What it means?

Yes

OK TLS_FALLBACK_SCSV is supported by the host. Configuration meets recommendations.
Only 1 protocol supported Warning The server supports only 1 protocol. Fallback isn't possible.

No

Failed It's recommended to enable TLS_FALLBACK_SCSV to protect against POODLE attacks.

TLSA DNS record configuration

Check if the TLSA record is correctly configured for the domain name.

This is a part of DNS-based authentication of named entities: RFC 6698. DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).

Output
Tag
What it means?
OK. <TLSA record details> OK TLSA record is correctly configured.

Not configured.

Warning TLSA record is not configured for the domain name.

Configuration issue. <TLSA record details>

Warning TLSA record has configuration issues.

Debian blacklist check

Check if the certificate's public key is present in the Debian blacklist.

Output
Tag
What it means?
OK OK The certificate's public key is not present in the Debian blacklist.
The certificate's public key is present in the Debian blacklist. Failed The certificate's public key is present in the Debian blacklist.

OCSP stapling enabled

Check if OCSP Stapling is enabled, analyse it's response in order to check the SSL certificate's validity.

The Online Certificate Status Protocol (OCSP) is used for obtaining the revocation status of an X.509 digital certificate. It's on the Internet standards track: RFC 6960. It was created as an alternative to Certificate Revocation Lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP.

Output
Tag
What it means?

No

Warning Host doesn't support OCSP stapling.

Certificate status: ok

Last update: 15 September 2017

Next update: 16 September 2017

Hash algorithm: sha1

Signature Algorithm: sha1withRSAEncryption

Issuer name hash: hash

OK

Host supports OCSP stapling.

Have questions?
support@threatintelligenceplatform.com
We will get back to you within a day.
Threat Intelligence Platform, LLC

California
USA

Contact us