How’s your SSL security doing?
Let me tell you a story…
It was in your TodoList: install the SSL certificate.
So you’ve setup your SSL certificate on the web server. It’s quite trendy to use SSL. Google will give you a modest ranking bump, some users will feel safer, all is good.
You have even tested your configuration with Qualys, got you an A+. Good job: most got a C, even banks.
Now what? What will happen when your cert is about to expire? Your CA will send an email to renew your cert. But maybe someone in the accounting dept will get that email.
Also, it’s a wildcard certificate, valid for *.yourdomain.com, which has been installed on 12 different servers. You’ll have to update each one of them… including that 13th server you’d never heard about.
Also, you’re about to discover the work of that intern last summer… He installed the cert on the new server, but Qualys rates it F because he used the default nginx configuration. You didn’t know.
Also, your HAproxy servers use etcd or consul.io to dynamically update their configuration. But the template should have been modified, not HAproxy’s configuration: your users get a security error, because the cert has expired.
It’s stupid to pay for certs: let’s use Let’s Encrypt instead!
Also, it’s now official, SSLv3 should be phased out: after all, it’s 20 years old now. But some of your servers are still configured to use it… Nope, not all of them, only some of them: find them!
Also, you’ve decided it’s stupid to pay for certs: let’s use Let’s Encrypt instead! But you now have 13 certs (no wildcard certs yet), which you must renew every 90 days. You have crons on the servers (or hope so, who knows), but some will fail, sometimes. Next year, you’ll have 22 servers, and certs.
Also you should really not use MD5 in ciphers anymore… Actually, among 200+ OpenSSL ciphers, more than half are considered unsecure or dangerously unsecure. And it’s hard to make time and remember to check each server.
Strangely, SSL monitoring is not a thing yet
You thought using SSL was not so complex, but maintaining SSL can be a daunting task. You have checked many things, but you’ve monitored nothing. What was correct yesterday may be broken tomorrow.
Out of the millions of websites using SSL today, most are unsecure by today’s standards, when they don’t stop working because of certs expiry. And Google has announced it will harden Chrome’s SSL policy this year.
Strangely, SSL monitoring is not a thing yet. You’re already monitoring uptime, performance, business, but not SSL security.
We believe security should be monitored
SSLPing was created to remedy this precise problem, because we’ve suffered it ourselves. It’s faster than other solutions to allow checking and monitoring. SSLPing relies on handcrafted SSL handshakes, to have the least impact on your servers: you won’t notice it.
And it’s only the beginning. We believe security should be monitored, with a free and simple tool to allow everyone to preserve the security and privacy of their users. With continuous checks, the internet will become a safer place. Privacy will be guaranteed, and monitored.