Thanks to Netcraft’s experience in surveying the state of TLS on the web (see the SSL Survey) since 1996, we have acquired valuable experience in working with the protocol and are able to conduct thorough analysis of TLS configurations used by our scanning targets, using a combination of our own software as well as industry standard tools.
Audited by Netcraft begins by gathering all TLS certificate information from every SSL-powered service, accounting for variation due to SNI and certificate signature algorithms. It then determines further details such as supported ciphers, order of cipher preference, TLS extension support (e.g. ALPN, NPN, SessionTicket), signature algorithms and version tolerance. Our tool is built with non-standard configurations in mind, allowing it to collect the accurate data even in cases where some industry-standard tools do not.
The information is then used to report any misconfigurations with various levels of security impact:
- Expired certificates, including timely warnings for certificates close to expiry
- Certificate issues that may affect in-browser use, e.g. missing SANs, self signed certificates, custom roots
- Use of deprecated TLS protocols
- Use of weak ciphers and keys, as well as ciphers which are explicitly not approved by the PCI council
The next step involves active tests which test the target directly, but safely, for specific vulnerabilities. This includes custom written scripts for issues such as:
We support scanning both very recent (e.g. TLS 1.3) and long-deprecated (SSL 2.0) TLS technologies, as well as less common ones such as DTLS. Please contact us if you are using an unusual setup and we can discuss our tool’s capabilities for scanning it.
Example snippet of TLS vulnerabilities