HTTPS, the protocol that secures the web, is broken. Okay, maybe not entirely broken. But it is constantly teetering on a knife edge. The Internet, although developed to be entirely open, now depends on Transport Layer Security (TLS) to securely deliver websites and other web-based services. However, as we recently highlighted in our 2019 TLS Telemetry Report, a surprising number of the world’s most popular sites have HTTPS configuration issues that can lead to passive and active attacks against unsuspecting victims. Thousands of websites still offer vulnerable cryptographic ciphers, such as RC4, and almost 4 percent of sites in the Alexa top 1 million still offer the broken SSLv3 protocol. Many more fail to take advantage of updates to TLS and other supporting protocols that can help close the security gaps that TLS leaves open.
To get started with Cryptonice visit the Github repository at https://github.com/F5-Labs/cryptonice.
Why Do We Need to Monitor HTTPS?
Well, the TLS protocol is relatively complex and not well understood. A simple TLS connection is composed of three core components:
- Handshake: in which a client and server must agree on the cryptographic algorithms and keys to use
- Certificates: digitally signed documents that provide authenticity and trust ensure each party is communicating with the entity they believe they are
- Record protocol: responsible for encrypting the actual communications between each system
Each of these components has its own set of protocols, ciphers, standards, key sizes, and nuances— and yet this is still a hugely simplified view that doesn’t consider the numerous other factors that make up a successful TLS connection. It’s not surprising, therefore, that many organizations seeking to deploy a secure HTTPS site simply install a certificate, quickly check that an HTTPS connection can be made, and then walk away. Job well done.
However, the TLS protocol is constantly evolving and additional protocols have emerged that help to close the door on some potential threat vectors, particularly when a client and server first connect and perform the handshake. Since many organizations do not regularly review their TLS deployments, these improvements and additional tools are never used.
Almost 4 percent of sites in the Alexa top 1 million still offer the broken SSLv3 protocol
F5 Labs believes that everyone should have strong and well configured HTTPS connections to their sites, whether on the web or deployed internally within an organization. We also believe that Crypto should be, well, nice, not harmful or intimidating.
To help developers, application owners and infrastructure engineers to accomplish this F5 Labs is releasing its new publicly available tool, Cryptonice.
Cryptonice is a command-line tool and Python library that allows a user to examine the TLS configuration, certificate information, web application headers and DNS records for one or more supplied domain names.
Using default arguments Cryptonice will scan the target site on port 443, check for port 80 to 443 redirects, look for DNS CAA records, test the TLS connection and certificate and check for the availability of HTTP/2.