

Show HN: Simple SSL Scanner - michaelbuckbee
https://www.expeditedssl.com/simple-ssl-scanner

======
finnn
[https://www.expeditedssl.com/simple-ssl-
scanner/scan?target_...](https://www.expeditedssl.com/simple-ssl-
scanner/scan?target_domain=expeditedssl.com)

You only pass 4 out of 5 of our own test :P.

~~~
michaelbuckbee
I know, that signature check really only applies if you are buying long lived
certs as otherwise it'll be updated in your next renewal (which is the
situation we're in).

Though, you're probably right that I should upgrade it sooner (see, the
scanner is working and forcing people to upgrade - including myself).

~~~
finnn
I also don't pass that test, but I don't know how to fix it. Something that
bugs me about both this and the SSL Labs scanner is there's no guide to fixing
problems. Obviously it's different from webserver to webserver, but I feel
like at least Nginx and Apache suggestions should be there. Maybe lighttpd and
whatever else kids are using now a days

------
michaelbuckbee
I made this in large part because it can be so difficult to convince a non-
technical stakeholder of the importance of some security aspects. With the
report, this gets much easier.

~~~
chilgart
It's a neat site, but can you explain why I would use it over
[https://www.ssllabs.com/](https://www.ssllabs.com/)?

~~~
michaelbuckbee
I really like SSLLabs and their report, but it's really too technical to hand
to a lot of people.

Further, though this isn't really explained well, is that there are some
optional security elements like http->https redirection, HSTS that are just
blips on the SSLLabs report that I think should be of more importance.

The Simple report was meant to be a sort of executive summary, not a deep
dive.

~~~
jvdh
In all honesty, if the SSLLabs is too technical for you, you should not be
running a site that requires HTTPS.

~~~
MichaelApproved
I don't think OP is saying it's too technical for him/her, OP is saying it's
too technical for clients or managers who might not be technical but who are
responsible for approving changes.

Like it or not, many times non-technical people are in charge of approving
technical budgets and requirements.

------
leni536
Good site. I wasn't even aware of HSTS until now. Although the lack off HSTS
shouldn't affect users who check the url bar for https connection. On the
other hand there is no reason not to add this into the configuration since it
is trivial.

Also where is firefox's HSTS cache? Can I see it? It would be interesting.

~~~
aroch
Checkout: about:permissions

You can remove HSTS cache per-site by selecting "Forget About This Site" \--
HSTS is still cached in any currently opened tabs though

------
ErikRogneby
I was just trying this out on some different sites. www.amazon.com got 2/5\. I
tried www.whitehouse.gov and it didn't work. I went to check it and it appears
their certs aren't set up properly on the CDN they are using (akamai.net).
Embarrassing!

~~~
michaelbuckbee
They're fine. It's more they've made the decision to NOT force all their
visitors to SSL.

~~~
Artemis2
Also, most of the time, sites without a perfect forward secrecy policy are
sites intended to be accessed by a very wide crowd, including people still
running IE6 (and bellow). Sometimes you just can't push the new technologies
fast enough.

------
waterside81
If you permanently redirect http to https, is the HSTS header still needed?

~~~
jamoes
The HSTS header is valuable because it prevents all future requests from the
client from ever going over HTTP.

So, for example, after visiting Hacker News once, the next time you type
"news.ycombinator.com" into the URL bar, your browser will simply go directly
to "[https://news.ycombinator.com"](https://news.ycombinator.com"), rather
than making the initial request to
"[http://news.ycombinator.com"](http://news.ycombinator.com") as it usually
would. This ensures that all future communications between the client and
server are over a secure channel.

------
jfaucett
Anyone notice how google issues themself a certificate. for some crazy reason
I see different results when I sign my own certs on my server... man the cert
issuer oligopoly sucks...

~~~
aroch
That's because Google is a intermediary CA[1], pretty much all large
institutions that use certificates for authentication are. For example, a good
number universities use internet2 as a backbone and issue themselves certs
under an umbrella intermediary called InCommon.

Becoming an intermediary is hard and expensive because we want the CA system
to be as secure as possible. And some security measures and auditing takes
money

[1] [https://pki.google.com/](https://pki.google.com/)

~~~
jfaucett
I know sorry my irony wasnt that explicit I guess. Really I dont see how
making it hard and expensive to become a CA intermediary helps security at
all, it just means we have to trust those that have money and power, rarely
the best idea.

~~~
aroch
I would much rather trust people who jump through _some_ hoops to prove
they're secure than people who don't (or routinely show they despite the hoop
jumping, they're not -- looking at you India CCA).

By and large, the process prevents fraudulent certificates and at the cost of
$5/y, I'm not horribly upset.

Would the world be a better, more perfect place with the CA system was
organized differently? Maybe. But the likes of StartCOM are not the answer
(predatory pricing is no bueno).

~~~
jfaucett
I think it depends on what you're comparing the current system with, right? I
mean sure if its either no hoop jumping or you have to pay some money then you
can go figure ok the person willing to give up bucks and go through the
trouble is probably a little more reliable because of that. But how is that
type of system ideal or secure? Currently, ssl certs give me very little
assurance that any data over the connection is not being backdoored/sniffed to
whomever, that the private certs arent compromised, etc. I think we shouldn't
be trusting people because of hoops they go through, but because the system we
use doesnt allow fraudelent players to stay in the game. Personally, I'd like
to see it head in this direction:

[https://github.com/okTurtles/dnschainhttps://github.com/okTu...](https://github.com/okTurtles/dnschainhttps://github.com/okTurtles/dnschain)

also for some more background on some concerns with CAs see:
[https://konklone.com/post/certificate-authorities-are-
actual...](https://konklone.com/post/certificate-authorities-are-actually-a-
tremendous-problem)

~~~
aroch
How is namecoin any different? Its a pay to play system too. Decentralized
CA's are nice and all but what happens when a state actor gains more than 50%
of the hash power and can then make their own certs at will? DNSChain is also
no better than GPG-signing all your assets in the end. You still have to trust
that "greg" is the "greg" that has "greg" in DNSChain and no one has
compromised "greg"

I would _love_ to see TACK implemented first.

[1][http://tack.io/](http://tack.io/)

