SSL/TLS

Secure Sockets Layer/Transport Layer Security (SSL/TLS) testing is the process of evaluating the security and configuration of SSL/TLS protocols on a web server, making sure that data transmitted over the internet is encrypted and secure. It typically involves checking certificate validity (correctly installed and not expired), reviewing configuration (strong encryption algorithm and protocol usage), and vulnerability scanning (susceptibility against known attacks).

Tools

We can use tools, such as Qualys Online test or Burp Suite's SSL Scanner extension to quickly check for SSL/TLS issues.

Check OWASP's best practices and/or individual ciphers on CipherSuite by copying their RFC name.

nmap --script ssl-cert,ssl-enum-ciphers -p 443 www.example.com

sslyze can analyze the SSL/TLS configuration of a server by connecting to it, in order to ensure that it uses strong encryption settings and that it is not vulnerable to known TLS attacks:

sslyze --regular example.com:443

Resources

A great video showcasing how to test for SSL/TLS misconfigurations with testssl (video)

PreviousCookie Flags NextAuthentication

Last updated 6 months ago

Was this helpful?