Public SSL Server Database Released
A new tool, the Public SSL Server Database, has been released by SSL Labs that will check a website to determine if an SSL certificate is correctly installed and configured to accept secure ciphers. Using the Public SSL Server Database, you can view relevant information, including Key Size, contained in the certificate and view the protocols and ciphers that are supported by your server. The tool will help you determine if you have installed the correct certificate and configured the server to use it most securely. It even determines if your the SSL connection on your site is PCI compliant and FIPS compliant.
Mike Andrews commented on this tool, discussing how making this information public may make it easier for attackers to locate potential targets:
I’m not sure I like the idea of a publically available database of SSL configurations, especially if I can’t control what data is in there about my own sites. It seems that anyone can institute a scan on any other site (which to be fair anyone can do with other tools), but that data is logged for all to see. Querying can be done only on domain name at the moment, but I would guess there’s nothing to stop the site being changed to “show me all the sites that use cipher XXXX”, which could be used maliciously, or doing a “name and shame”. Disclosure: Foundstone’s site is there with an ‘F’ after one of my esteemed colleagues put in “foundstone.com” (not “www.foundstone.com”, which is where the certificate points to). I believe this is a bit of a bug as it doesn’t take into consideration redirects, although I admit that there’s some risk (depending on the site configuration) and this is really splitting hairs.
The author, Ivan Ristic notes that certificate information is already public, but displaying it publicly like the Public SSL Server Database does may make is easier for attackers to use. Ultimately, though, the author hopes that people will fix the problems that the Public SSL Server Database detects using the SSL Server Rating Guide that is also offered by SSL Labs.Originally posted on Sun Jul 26, 2009