HackDig : Dig high-quality web security articles for hacker

Prevent Certificate Blunders with the Certificate Expiry Monitor

2015-12-08 07:50

HTTPS will be playing a bigger role in our lives thanks to initiatives like Let's Encrypt, but once you've implemented HTTPS on your site, the technology is not a one-and-done solution.

SSL certificates have a habit of expiring. This means webmasters have to get them reissued and update their service. If they fail to do so, invalid certificates will prevent them from carrying out secure transactions, and the website will be flagged as insecure in all modern browsers.

Big CAs (Certificate Authorities) that issue certificates also send out emails to their clients. Unfortunately, emails change, employees quit, and some people forget to forward important emails to the proper person inside a company.

Get a server to check for expiring certificates daily, and have it email you in advance

Here is where Certificate Expiry Monitor can come in to help. Certificate Expiry Monitor is a free service created by Remy van Elst, a system administrator from the Netherlands.

This is a basic service that allows users to enter a list of domains and an email address. Certificate Expiry Monitor will run daily scans of the domains and send out email notifications when the SSL certificates are about to expire.

Certificate Expiry Monitor will send emails three months before the certificate is about to expire, then again two months, one month, two weeks, one week, five days, three days, two days, and one day before the certificate expires.

It will also send an extra email on the day the cert expires, and two and seven days after the certificate expired, just for those people who are extremely busy and need after-the-fact reminders.

Certificate Expiry Monitor
Certificate Expiry Monitor

The best thing is that Certificate Expiry Monitor was open-sourced on GitHub, is written in PHP, and its low requirements allow anyone to install it and have it up on their run-of-the-mill shared-hosting account.

We can see the usefulness of this service, so Softpedia decided to have a talk with Mr. van Elst to shed more light on his project.

An idea that came out of the Gmail certificate fiasco

According to Mr. van Elst, the idea behind the project came to him after the infamous Gmail expired certificate debacle, which caused the service to shoot blanks for a couple of hours.

He created a Java app that could check domains for certificate expiry dates and then alert its owners. But because the app was done for one of his employers and it was... well... Java, he decided to start over from scratch, use something more universal, like PHP, and then open-source the whole code. And thus, Certificate Expiry Monitor was born.

It took him three days to put together the code, the service then entered a beta phase for three months, and is now up and running at full capacity for about a month or so.

"My software checks all certificates in the chain, so if Google had used it, they would have known a certificate would be expiring," said Mr. van Elst, referring to the Gmail incident.

Certificate Expiry Monitor may have arrived at the right time

"A lot of monitoring systems (think Nagios, Zabbix) do have checks for this, but not everybody is able to run their own monitoring system," Mr. van Elst added.

"Also, now with Let's Encrypt issuing 90-day valid certificates, people will probably set that up and forget it. Let's Encrypt promises automatic renewal, but that is not functional (yet). And, their target (everybody with a site, not just sysadmins) will probably play with the beta, and in three months might have an expired certificate. For those people, this service is excellent and simple."

But Let's Encrypt-issued certs are not the only ones that can be monitored with Mr. van Elst's tool, as he explains it himself. "Big CAs, like Comodo and Verisign will also send their customers emails when certificates expire. But, the person that bought the cert might not work at that organization anymore, or you might just want an extra check."

Since the service is open source, Certificate Expiry Monitor can be installed anywhere. For webmasters and companies that do not wish that their domains be connected to email addresses in someone's online database, system administrators can install a local instance and keep all the data inside their Intranet.

One example: "The Microsoft CA you can set up with Windows Server also has no notification of expiring certificates. Because it is open source, people can host it [Certificate Expiry Monitor] internally and have notifications for their internal stuff [for which] they can't or don't want to expose to the public Web."

Even regular users can take advantage. Mr. van Elst says he regularly checks his bank's certificate with his tool, ensuring his financial data and transactions are properly protected.

As you can see, there's a lot of meat on the bone with Certificate Expiry Monitor, and the service could have some potential as a paid-for utility. But because Mr. van Elst is quite the busy man, and as he regularly touts on his blog, a big supporter of open-source software, that's why we now have Certificate Expiry Monitor offered under the GNU AGPL license instead.

Overall, the service saw a spike in usage after being passed around on InfoSec communities on Reddit, as Mr. van Elst disclosed to us, and it seems that more and more people are turning to it to remind them of upcoming certificate renewal deadlines.

Oh, and there's also SSL Decoder

If you decide to check it out, don't forget to visit Mr. van Elst's other tool, SSL Decoder, another AGPL open-sourced Web service, one that inspects a Web server's SSL/TLS configuration.

SSL Decoder might remind some of you of the SSL Labs tests, but is much faster, and has some of its own perks.

"Mine is open source so you can host it internally," said Mr. van Elst for Softpedia. "It supports other protocols like IMAPS, you can specify IP's and other ports, and it checks a bit less so it's much more fast."

"There even is a fast mode, which is done in a second, the regular mode in about 12. The SSL Labs test takes about 2 to 5 minutes for comparison, but, they also check a lot of other things like browser support," Mr. van Elst also explained.

SSL Decoder
SSL Decoder

Source: 2dtMnclRmb1xmYtUGdhNWamlGdyV2YtQnblZXZyB3LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:2612 | Comments:0 | Tags:Security

“Prevent Certificate Blunders with the Certificate Expiry Monitor”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud