
Show HN: Snitch.io – SSL auditing and alerting - yourabi
https://snitch.io/
======
_asciiker_
I think you're trying to solve a non-problem since the company that sells the
certificates warns you (sometimes even more than those intervals), afterall,
they want you to renew as well. As for checking for quality, that should be
the sys admin task or the webmaster. good luck though!

~~~
yourabi
Thanks for your feedback but I strongly disagree and I think recent history
supports that CAs don't do much for you once they've collected your payment.

CAs won't alert you if someone breaks into your server and replaces your
certificate. They won't alert if you if you accidentally push a config change
and start serving the wrong certificate to customers... And they certainly
will not alert you if you are using a revoked certificate in production.

I've bought multiple certificates from different reputable vendors - I only
ever got one Heartbleed notice. (This pattern repeats itself)

Many shops don't have a dedicated admin / webmaster auditing their
certificates and even those that do have had public issues (Akamai, Apple,
GitHub, Stripe...etc)

The value in a service like Snitch is that we worry about your SSL
certificates. Many people don't have the interest or time in rolling their
home grown monitoring of this stuff...

~~~
_asciiker_
"CAs won't alert you if someone breaks into your server and replaces your
certificate. They won't alert if you if you accidentally push a config change
and start serving the wrong certificate to customers... And they certainly
will not alert you if you are using a revoked certificate in production."

You have valid points, my advice would be to make that part of the message as
clear as possible. as a sys admin I could be a potential customer but then
again, I already have to worry about certs I implement.

~~~
yourabi
Thank you for that feedback! It is very valuable to hear that I didn't message
this effectively - I'll work on improving that.

I'd love to chat more out-of-band - would you mind emailing me (this username
at currylabs.com or gmail.com)

------
yourabi
We built Snitch to make it simple and easy to get a handle on your SSL
certificates. Our mission is to help people avoid getting blind-sided by SSL
issues - losing customers, reputation and business in the process.

We've been working on this for a few months and would appreciate any feedback
- thanks!

If anyone wants to email me directly it is my username at currylabs.com or
gmail.com

PS: If you are an Open Source project we offer free subscriptions.

~~~
johns
Who's "we"? You need an about page.

------
cddotdotslash
Idea is great, but pricing seems a bit expensive.

Have >25 certs? Add this check to Nagios:
[http://exchange.nagios.org/directory/Plugins/Network-
Protoco...](http://exchange.nagios.org/directory/Plugins/Network-
Protocols/HTTP/check_ssl_cert/details)

Saved you $200/month :)

~~~
leesfer
Yeah especially since some people offering this same service for free

[http://voodooalerts.com/free](http://voodooalerts.com/free)

~~~
yourabi
Sorry, but that is not factually correct.

These are very different services.

Voodooalerts requires you to place JS on your page. Because of this I am sure
they cannot run the full suite of audits that Snitch does.

~~~
leesfer
No, Voodoo Alerts FREE has no JS. Its a server ping just like Pingdom or this
service, except its free.

The full paid version of Voodoo Alerts requires JS to be installed but that is
for RUM alerting

Edit: you're right about it not doing everything that snitch.Io does, but
saving $10 a month on simple alerting sounds good to me

~~~
yourabi
Thank you for visiting Snitch.io. Unfortunately, your statements are still not
correct.

I signed up for a free account on VA and put in a site with a revoked SSL
certificate. It has not generated an alert. It has been over 12 hours. It is
still prompting me to insert the JS on my site, by the way.

As to your second point. Snitch isn't simple alerting.

It runs a full range of tests on an SSL certificate: checking for expiration,
checking for revocation, checking that all of the intermediate certificates
have not been revoked, checking the certificate is valid for the domain
(including SNI), checking that the certificate isn't signed with a weak
algorithm such as SHA-1 that Chrome is about deprecate, checking that the
certificate has not been changed (incorrect server config, malicious
intent...)

Snitch is not targeted at people who just need to know if their site is up or
down.

If you are are a business and users browsing to your site get a big red
warning in their browser because your SSL certificate is
expired/revoked/weak/misconfigured - that is a problem and you lose money.
That is what Snitch is addressing.

~~~
leesfer
I should have mentioned that I am in the beta for VA and that feature doesn't
open up until next week for all users.

In fact I'm probably breaking terms mentioning it...

~~~
yourabi
Thanks for the clarification.

I was wondering if you were also going to mention that you are VoodooAlerts'
founder?

I, personally, think it is poor form to advertise features that don't exist
while pretending to be a customer of VoodooAlerts.

I wish you the best of luck with VoodooAlerts!

[https://twitter.com/Leesfer](https://twitter.com/Leesfer)

~~~
leesfer
Being a #2 employee isn't exactly a founder, now is it?

Good luck in this field, it's competitive :)

------
michaelmior
This is seems potentially quite useful. It would be nice if it could also
notify you if your server is not configured according to best practices in
terms of things such as protocol versions and cipher suites.

~~~
yourabi
Thanks for the feedback!

That is definitely on the roadmap and will go out soon.

------
spacefight
Great idea, will definitively check it out.

Where are you incorporated, if? The terms says nothing about it. Who is my
contract party when I signup?

~~~
yourabi
Thanks for the feedback.

We're in Oakland, California.

~~~
spacefight
And who's behind it?

------
bowlofpetunias
Great idea, will certainly give it a try.

Not a big fan of pricing plans that mix volume with features, always makes me
feel I'm being screwed when I only need one or the other. (Even though I might
be perfectly fine with paying the same amount if the pricing structure was
different.)

~~~
yourabi
Thank you for the feedback!

Definitely something we'll consider. Email me if I can help out in any way! hn
username at currylab.com / gmail.com

------
msane
I think this is a brilliant idea, and seeing what you've built I'm sort of
kicking myself for not having acted on the same idea. It's the sort of thing
that is feasible for a company to do on their own but is difficult enough that
it is very seldom done.

~~~
yourabi
Thank you for the kind words, msane.

------
evandena
$10 a month for one certificate seems kind of expensive, considering a script
with openssl can do the same thing for free.

And only 25 for enterprise? Our midsize business is currently using 416 certs.

~~~
iancarroll
Can I ask how you've created 416 certificates for a mid size company? Holy
shit, lol.

Unless those include SMIME certs, but still...

~~~
evandena
Lots of internal web services, web servers, VM hosts, MQ channels, LDAP
stores, etc (times 5, for different platforms and locations). Everything gets
a cert, haven't been using wildcards. Lots of internal signed certs, but they
suffer the same problems that this service is trying to solve.

------
ef4
I use and really like [http://wormly.com](http://wormly.com).

Their monitoring includes SSL cert validity, among many other things.

------
junto
Cool idea. I had the same idea back when Heartbleed was in full swing. Nice to
see that someone has actually executed the idea. Bravo!

~~~
mobiplayer
There are various implementations of the same idea out there and they've been
there for long.

In any case, very nice execution on the front end. Good job.

~~~
yourabi
Thank you!

We're constantly improving and adding extra checks.

------
yugcesofni
Considering you can get much of this functionality from programs created by
CAs (for example, [https://www.digicert.com/cert-
inspector.htm](https://www.digicert.com/cert-inspector.htm) from my CA), this
seems... way too expensive.

~~~
yourabi
There are some pretty crucial and obvious differences between these two
products.

Does DigiCert provide any guarantees on how often they monitor your
certificates? Do they offer any alert mechanisms other than email? Do they let
you monitor certificates that are on your critical path but not necessarily
ones you own (partners...etc)

You also mention cost..but since you are not paying them you are not their
customer - you are their product.

Snitch is clearly aligned with customers since our goal is to help you succeed
at securing your site. Our goal is to make it easy for you (site owner) to do
the right thing and provide a good experience to your customers.

------
spindritf
You do more than that but really the CA should handle alerts about expiring
certificates. They have full knowledge of all certificates, and contact to the
responsible party.

~~~
rficcaglia
true but then you need to actually renew it amd then install it....too many
times tickets are filed but get put at the bottom of this list until last
minute, or worse a customer reports the nasty browser security warning page

though i do wonder if "this is a feature, not a company"?

~~~
yourabi
Thanks for the feedback.

We're constantly improving and rolling out new features. We're confident that
over your question will become less of a question :-)

------
Thaxll
Better off using your own solution with Nagios or something similar.

