HTTPS tools we wish we'd known about earlier

...and that you'll wish you knew about earlier too

By Mike on 20th July 2015

So you already know tcpdump, the openssl SSL client, the Mozilla SSL Configuration Generator and the SSL Labs test. Here's a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.

badssl - live examples of improper SSL configurations

This awesome project from Chrome security developer Lucas Garron has live demonstrations of different conditions which would cause browser warnings, including expired certificates, out of date hash algorithms, weak key negotiation, incorrect hostnames, and more, each on their own subdomain. The most common ones are at the top of the page too.

It's super handy to demonstrate and replicate common SSL issues., as well as extremely rare ones. We're biased though: we pulled strings at our CA to get one of the custom certificates badssl uses. Go check out badssl and watch your browser light up in new and exciting ways!

scans.io - raw results from massive scale SSL scans

Need to see who's using different validation levels? Who's got improperly configured certificates? Who's using SNI or other tech?

Last time we needed to do a large scale SSL scan we wrote the code ourselves. Since then, we've discovered the scans.io repository of large scale SSL scan results, including handshakes, certificates and all the usual goodies you'd expect. This includes the Alexa top 1 million in JSON.

Your old whois command, once you know the query syntax

The command line whois tool just sends a query to the server. The format of that query depends on the server - which is why the whois docs don't properly tell you what the format is, and why most people deal with junk in their whois results. Thankfully, you can get junk-free results using a more exact query:

whois "domain microsoft.com"

Or set this up permantly in your .bash_profile:

function quick-whois () {
    command whois "domain ${1}"
}

OS X native Wireshark

Have a Mac? Inspect packets? There's now a native OSX Wireshark. It's still in Development Release, but if you own a Mac is still better than the current stable X11 version.

Anything else? Check out the discussion on Hacker News.

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!