Ha. Their EV test (which they say you should be able to connect to, if your browser is "good") uses a certificate that expired Aug 10 2022: https://extended-validation.badssl.com
Yeah there's a GitHub repo behind this and there's comments from past times it has expired. Essentially it requires a public CA to issue an EV cert for them, which is hard to maintain and rotate. I think Mozilla and DigiCert worked on this iirc.
To be fair finding working SSL sites is easy. Broken ones, especially for uncommon reasons, are the problem. I have used BadSSL for such tests many times in the past.
I believe 384 has the same problem: most CAs use RSA-2048/SHA-256 signatures and very few do 2048/384 (which this certificate is doing), especially on demand (ACME has no parameter to control hash function selection by the requester for instance)
SHA384 with P-384 is much more common (and tested elsewhere on the site); what is unique about this one is using a larger hash with RSA keys.
Like some of the other certs, it requires partnerships with CAs willing to bend their process a little for the sake of publicly available test infra.
Which is why security via corporate checkboxes _decreased_ security. "We verify the company address by having someone physically check it" sounds great on paper (the currency of C levels), but everyone else understands that this means you won't be renewing rotating it as often.
Qualys [1][2] For testing SSL of publicly accessible sites. TestSSL.sh [3] for testing SSL of any site including private endpoints you can reach from your machine Only requires openssl and bash. SecurityHeaders [4] for testing what headers are missing from a website. URLScan [5] for diagnosing a websites behavior. bgp.he.net [6] for looking up information about an IP/AS Number/domain. Robtex [7] also for looking up information about IP/AS/domain as well as org mapping. WhatIsMyDNS [8] for checking DNS propagation re-run this 3 times as their probe timeouts are way too low. Old-school VirusTotal [9] for old browsers for scanning malware. WhoisDS [10] targeting newly registered domains. Mozilla TLS configuration tool [11] for setting up proper TLS/HTTPS configuration on Nginx, Apache, HAproxy, etc... Certificate Search [12] for cert transparency logs, certificate fingerprints and more. Thousand Eyes [13] free dashboard on a commercial site. DownDetector [14] for uptime of popular sites and services. EDNS Validator [15] for verification of your DNS EDNS support. Shodan [16] for looking up detected vulnerabilities of an IP. W3C Validator [17] for testing HTML/CSS.
BadTLS explicitly exists to test certs that you generally should not, but often do, run into in the wild. As a result, most software handles these in poor ways, with error messages that are unhelpful at best.
Writing tests that utilize a custom root doesn’t seem all that much work for a library supporting TLS.
It's a great way to do baseline sanity checking on any service provider you are using or assessing for use. How well they manage and configure certificate functionality is a good indicator of whether they are on top of things generally.
(also a good way to check up on your own internal IT department as well).
I can imagine the cert providers getting mad at them for having intentionally wrong certificates. Hope they're smarter than that, but if not, this site is well enough done that I think they will stick up for themselves.
In a sense, you test how much your browser complies with the strictest server configurations and how lax it is with incorrect/out-of-date configurations.
I don't see an EV for this domain. How did you find out?
Common Name (CN) *.badssl.com
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>
Common Name (CN) R3
Organization (O) Let's Encrypt
Organizational Unit (OU) <Not Part Of Certificate>
Issued On Friday, August 12, 2022 at 7:57:46 AM
Expires On Thursday, November 10, 2022 at 6:57:45 AM
SHA-256 Fingerprint EE 5C E1 DF A7 A5 36 57 C5 45 C6 2B 65 80 2E 42
72 87 8D AB D6 5C 0A AD CF 85 78 3E BB 0B 4D 5C
SHA-1 Fingerprint 8C 02 16 86 C6 E3 6C F2 07 94 75 81 D4 D4 C7 2F
B5 9E C3 A5
Actually a lot of them. The record is probably held by "This server could not prove that it is no-common-name.badssl.com; its security certificate expired 829 days ago." (but haven't checked each one).
Ha. Their EV test (which they say you should be able to connect to, if your browser is "good") uses a certificate that expired Aug 10 2022: https://extended-validation.badssl.com
Yeah there's a GitHub repo behind this and there's comments from past times it has expired. Essentially it requires a public CA to issue an EV cert for them, which is hard to maintain and rotate. I think Mozilla and DigiCert worked on this iirc.
Many of their other non-EV certificates are expired as well, for example: https://sha384.badssl.com/
To be fair finding working SSL sites is easy. Broken ones, especially for uncommon reasons, are the problem. I have used BadSSL for such tests many times in the past.
I believe 384 has the same problem: most CAs use RSA-2048/SHA-256 signatures and very few do 2048/384 (which this certificate is doing), especially on demand (ACME has no parameter to control hash function selection by the requester for instance)
SHA384 with P-384 is much more common (and tested elsewhere on the site); what is unique about this one is using a larger hash with RSA keys.
Like some of the other certs, it requires partnerships with CAs willing to bend their process a little for the sake of publicly available test infra.
Which is why security via corporate checkboxes _decreased_ security. "We verify the company address by having someone physically check it" sounds great on paper (the currency of C levels), but everyone else understands that this means you won't be renewing rotating it as often.
Security is about tradeoffs. What's the benefit in rotating certificates, if the certificate is issued to the wrong entity?
Though on a second thought I'm not sure what you're getting at. Certificate renewal isn't optional. It's valid for however long it's valid.
Related: here is my collection of links/domains which are useful, but difficult to search for on Google.
DNS / Networking:
- http://neverssl.com/ - manually trigger a paywall / login screen on public wifi networks
- https://ifconfig.co - Simplest way to get own IP address, especially from scripts.
Web development:
- http://vcap.me, http://lvh.me - Main domain and all subdomains resolve to localhost.
- http://nip.io - Subdomains resolve to that IP Address, e.g. `127.0.0.1.nip.io`
- https://httpstat.us - simple service to generate desired response codes
- https://badssl.com - test SSL client configuration against many invalid certificates
- https://permission.site/ - test various permission requests
Anyone have any other good candidates?
https://httpbin.org/ is really great. Actually you can do
to get your IP address, so no need to remember an additional domain. Although I think everyone knows https://icanhazip.comMy go-to web services were
https://www.mail-tester.com/ - fantastic to check your homebrew mailserver for compliance
https://gwhois.org/ - online whois tool, I liked it a lot, but I no longer remember why
https://mxtoolbox.com - a larger collection of online tools, among them a service to check your domain if it's listed on different email spam lists
> online whois tool, I liked it a lot, but I no longer remember why
Well, having whois along with DNS popular records: MX, A, SOA, TXT, NS - is helpful. Thanks.
IntoDNS [1] is also a nice tool to detect some common DNS configuration issues.
[1] https://www.intodns.com/
https://httpdump.io/ is a good one too.
Qualys [1][2] For testing SSL of publicly accessible sites. TestSSL.sh [3] for testing SSL of any site including private endpoints you can reach from your machine Only requires openssl and bash. SecurityHeaders [4] for testing what headers are missing from a website. URLScan [5] for diagnosing a websites behavior. bgp.he.net [6] for looking up information about an IP/AS Number/domain. Robtex [7] also for looking up information about IP/AS/domain as well as org mapping. WhatIsMyDNS [8] for checking DNS propagation re-run this 3 times as their probe timeouts are way too low. Old-school VirusTotal [9] for old browsers for scanning malware. WhoisDS [10] targeting newly registered domains. Mozilla TLS configuration tool [11] for setting up proper TLS/HTTPS configuration on Nginx, Apache, HAproxy, etc... Certificate Search [12] for cert transparency logs, certificate fingerprints and more. Thousand Eyes [13] free dashboard on a commercial site. DownDetector [14] for uptime of popular sites and services. EDNS Validator [15] for verification of your DNS EDNS support. Shodan [16] for looking up detected vulnerabilities of an IP. W3C Validator [17] for testing HTML/CSS.
[1] - https://www.ssllabs.com/ssltest/
[2] - https://dev.ssllabs.com/ssltest/
[3] - https://github.com/drwetter/testssl.sh
[4] - https://securityheaders.com/
[5] - https://urlscan.io/
[6] - https://bgp.he.net/
[7] - https://www.robtex.com/
[8] - https://www.whatsmydns.net/
[9] - https://www.virustotal.com/old-browsers/
[10] - https://www.whoisds.com/
[11] - https://ssl-config.mozilla.org/
[12] - https://crt.sh/
[13] - https://www.thousandeyes.com/outages/ [commercial site but priceless in my opinion]
[14] - https://downdetector.com/
[15] - https://ednscomp.isc.org/ednscomp?zone=ycombinator.com
[16] - https://www.shodan.io/
[17] - https://validator.w3.org/
I forgot to add WiGLE [18] WiFi wardriving information about access points around the world.
[18] - https://wigle.net/
If you are looking for some other bad TLS configs, I run a site that augments this at https://badtls.io/.
Your certs are all self-signed, so testing against them doesn't really help somebody unless they go out of their way to trust your root.
BadTLS covers some scenarios that public CAs cannot sign certificates for, e.g. a certificate that expired in the 1960s.
Your statement is correct.
BadTLS explicitly exists to test certs that you generally should not, but often do, run into in the wild. As a result, most software handles these in poor ways, with error messages that are unhelpful at best.
Writing tests that utilize a custom root doesn’t seem all that much work for a library supporting TLS.
I actually love this site.
It's a great way to do baseline sanity checking on any service provider you are using or assessing for use. How well they manage and configure certificate functionality is a good indicator of whether they are on top of things generally.
(also a good way to check up on your own internal IT department as well).
It's something that really ought to exist.
I can imagine the cert providers getting mad at them for having intentionally wrong certificates. Hope they're smarter than that, but if not, this site is well enough done that I think they will stick up for themselves.
It's an excellent resource for developer tooling. Use it for Lighthouse / Chromium all the time.
I am dense and so don’t get what this site is showing me. Can someone explain?
It provides examples of various broken and good SSL configurations.
Thank you. I wish that was explained. I thought it was testing my browser somehow.
To some extent, it is. Maybe https://badssl.com/dashboard/ explains it better? Half their certificates are expired though.
In a sense, you test how much your browser complies with the strictest server configurations and how lax it is with incorrect/out-of-date configurations.
Used that site recently to implement a cert monitor in just a few minutes than the hours I had planned. Really valueable resource
Hmm, Firefox can still connect to some of these.
lol, their EV cert is expired
I don't see an EV for this domain. How did you find out?
Common Name (CN) *.badssl.com Organization (O) <Not Part Of Certificate> Organizational Unit (OU) <Not Part Of Certificate> Common Name (CN) R3 Organization (O) Let's Encrypt Organizational Unit (OU) <Not Part Of Certificate> Issued On Friday, August 12, 2022 at 7:57:46 AM Expires On Thursday, November 10, 2022 at 6:57:45 AM SHA-256 Fingerprint EE 5C E1 DF A7 A5 36 57 C5 45 C6 2B 65 80 2E 42 72 87 8D AB D6 5C 0A AD CF 85 78 3E BB 0B 4D 5C SHA-1 Fingerprint 8C 02 16 86 C6 E3 6C F2 07 94 75 81 D4 D4 C7 2F B5 9E C3 A5
I believe they're talking about the one at https://extended-validation.badssl.com/
Ah I see. Thanks.
Actually a lot of them. The record is probably held by "This server could not prove that it is no-common-name.badssl.com; its security certificate expired 829 days ago." (but haven't checked each one).