Security, privacy and data integrity are important properties of today’s Internet applications and protocols.The security and confidentiality of millions of Internet transactions per day depend upon the Secure Socket Layer (SSL)/Transport Layer Security (TLS)protocol.
Over the past few years, the SSL protocol has been subject to a series of successful attacks by security researchers, some exploiting flaws in deployed systems while others made use of social engineering and other forms of deception.
As the Internet is being used for many commercial activities, such as shopping, online banking, or electronic trading, the value of data has increased. Networking protocols and applications are therefore increasingly expected to protect critical data by providing encryption, data integrity, and, most importantly, entity authentication.
Suggested Read: Installation and Configuration of Free SSL – sslforfree.com
As these security goals are difficult to attain, application developers and protocol designers often rely on well-established security layers below their own protocols. The SSL and TLS protocol suites are used by many applications and protocols to provide a certain level of security, as they build on well-understood and thoroughly-analyzed cryptographic algorithms.
Always keep in mind that, although HTTP protocol is the protocol, which highly makes use of SSL, to secure communication. SSL is an application layer independent protocol. So you can use that with any application layer Protocol.
Basically SSL have three levels of security, that is:
- Authentication: Ensures that the received message is coming from someone who express.
- Confidentiality: Protecting a message from a business reading by unauthorized recipients along the journey.
- Integrity: Ensuring that the original message, do not change along the way.
Here we’ve listed out top 3 open source SSL scanners through which you can easily test your SSL/TLS server security.
SSLyze is one of the most powerful SSL/TLS server scanning command line tool which analyze the SSL Configuration of a server through which you can easily identify all the vulnerabilities, misconfigurations etc against your SSL server.
SSLyze has already been tested on various platforms like Debian 7, macOS High Sierra and Windows 10.
Github Link – https://github.com/nabla-c0d3/sslyze
Installation can easily be done directly via pip tool as follows:
Command: pip install –upgrade setuptools
Command: pip install –upgrade sslyze
Or you can directly clone the repository by run the following command:
Command: git clone https://github.com/nabla-c0d3/sslyze
Command: cd sslyze
Command: pipenv install –dev
Command: pipenv shell
SSLScan is designed to be easy, lean and fast. The output includes preferred ciphers of the SSL/TLS service, and text and XML output formats are supported. It is TLS SNI aware when used with a supported version of OpenSSL.
And you can even automate the whole process of conducting ssl scanning via Auto-sslscan which parses an nmap.xml output file, extracts all SSL services and automatically performs an sslscan.
Github Link – https://github.com/rbsec/sslscan
You can directly install this tool by run the following command:
Command: apt install sslscan
If for whatever reason you can’t install the above said package, follow the instructions here for statically building against OpenSSL.
It is a free command line tool which checks almost all major vulnerabilities like Heartbleed, CRIME, BREACH, Poodle, Beast etc. Testssl.sh script is pretty much portable and compatible with every Linux, Mac OS X and FreeBSD.
Github Link – https://github.com/drwetter/testssl.sh
Installation – To install this tool, run the following command in your terminal:
Command: git clone –depth 1 https://github.com/drwetter/testssl.sh.git
To test all vulnerabilities, the command is:
Command: ./testssl.sh -U <https://example.com>
In case, if you want to test a particular vulnerability, Let’s for example Heartbleed, then the command would be:
Command: ./testssl.sh -B <https://example.com>
For more information about this tool, you can refer to https://testssl.sh official website.