HTTPS tools we wish we'd known about earlier

...and that you'll wish you knew about earlier too

July 12, 2021
We're Expedited Security. We help SAAS applications prevent and recover from attack, overcome regulatory or integration security requirements or just stop "weird" traffic before it becomes a problem.

So you already know tcpdump, the openssl SSL client, the Mozilla SSL Configuration Generator and the SSL Labs test. Here's a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.

badssl - live examples of improper SSL configurations

This awesome project from Chrome security developer Lucas Garron has live demonstrations of different conditions which would cause browser warnings, including expired certificates, out of date hash algorithms, weak key negotiation, incorrect hostnames, and more, each on their own subdomain. The most common ones are at the top of the page too.

It's super handy to demonstrate and replicate common SSL issues., as well as extremely rare ones. We're biased though: we pulled strings at our CA to get one of the custom certificates badssl uses. Go check out badssl and watch your browser light up in new and exciting ways! - raw results from massive scale SSL scans

Need to see who's using different validation levels? Who's got improperly configured certificates? Who's using SNI or other tech?

Last time we needed to do a large scale SSL scan we wrote the code ourselves. Since then, we've discovered the repository of large scale SSL scan results, including handshakes, certificates and all the usual goodies you'd expect. This includes the Alexa top 1 million in JSON.

Your old whois command, once you know the query syntax

The command line whois tool just sends a query to the server. The format of that query depends on the server - which is why the whois docs don't properly tell you what the format is, and why most people deal with junk in their whois results. Thankfully, you can get junk-free results using a more exact query:

whois "domain"

Or set this up permantly in your .bash_profile:

function quick-whois () {
    command whois "domain ${1}"

OS X native Wireshark

Have a Mac? Inspect packets? There's now a native OSX Wireshark. It's still in Development Release, but if you own a Mac is still better than the current stable X11 version.

Anything else? Check out the discussion on Hacker News.