I'm pleased to announce a feature of HackMyCF that I've been excited about for a while: SSL / TLS Scanning.
If you stay up to date with security news you know that there have been a large number of vulnerabilities or weaknesses discovered in SSL or TLS protocols and implementations. For example, we have LogJam, Heartbleed, POODLE, CRIME, BEAST, and those are just the ones with cool names :)
While we have been issuing warnings when SSLv2 and SSLv3 (poodle) are enabled for a while, but here are some of the new checks we have added:
- Warn if TLS 1.2 is not enabled
- LogJam: Weak DH Group Size (less than 2048 bits) and some common prime warnings (not fully inclusive)
- Warn if SSL Certificate will expire soon, or is expired
- Warn if certificate is signed with SHA1 (will cause warnings/errors in recent Chrome versions)
- Warn if TLS compression is enabled (CRIME)
- Test for OpenSSL Heartbleed vulnerability
- Warn if Public Key Size less than 2048 bits
Here's a screenshot from an example HackMyCF report:
Customers can enable this feature if they have set protocol = HTTPS in their server settings.