Examples of sites with broken security certificates

Question

Examples of sites with broken security certificates

I am wondering if anyone knows about a demo site that shows different cases where HTTPS is incorrectly configured or broken. Or does anyone know a website in the wild that deliberately displays various violated / incorrectly configured HTTPS cases? ... If not, what about ideas on how to track them using a search engine? I am looking for sites that exhibit broken https behavior, for example:

Self-signed certificate
Invalid Subdomain Certificate
Expired certificate
Page with protected and insecure content
etc...

I am looking to find an exhaustive list of the different ways in which HTTPS can be misconfigured, and, ideally, live examples that I can use to hone the tool to scan the page and let it know if it will create any kind of browser protection mistakes. (As far as I know, there is no such tool, except for the person managing the browser, does anyone know about this?)

+37

security ssl https

Purrell Nov 10 '09 at 1:55

source share

4 answers

For those who want to learn more about ssl under covers, this page is very well worth reading http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

+3

Cheekysoft Nov 10 '09 at 16:04

source share

https://mail.yahoo.com is obviously an example of a certificate with an invalid subdomain. (Certificate for www.yahoo.com)
https://verisign.com is another (certificate for www.verisign.com)

- Obviously, any "in the wild" copies can be changed.

-one

Purrell Nov 10 '09 at 2:48

source share

They may vary, but they currently reflect various certificate issues:

No intermediate certificate installed: http://www.sslshopper.com/ssl-checker.html?hostname=secure.donauversicherung.at

The exact host name is not in the certificate: http://www.sslshopper.com/ssl-checker.html?hostname=1stsource.com

Expired Certificate: http://www.sslshopper.com/ssl-checker.html?hostname=secure.garthbrooks.com

Self-Signed Certificate: http://www.sslshopper.com/ssl-checker.html?hostname=www.mjvmobile.com.br

Certificate with MD5 signature: http://www.sslshopper.com/ssl-checker.html?hostname=www.mtsindia.in

-2

Robert Nov 10 '09 at 15:29

source share

Purrell · Accepted Answer · 2012-02-16 17:15

Revision of this. An excellent online tool has recently been created here: https://www.ssllabs.com/ssldb/analyze.html

eg. Paypal: https://www.ssllabs.com/ssldb/analyze.html?d=https://paypal.com

More detailed information on details when working with a specific server.

When this question was asked, I remember that I was looking for resources that I could use to create a tool that would automatically check if ssl was correctly configured for this site; at least that this site was not going to display various ssl errors in different browsers. However, there are many types of ssl / tls "misconfiguration", and many browsers handle cases differently. Expecting 100% if the browser is about to display any messages at all or any encryption messages are quite complicated, as it turns out.

But this is a good hand tool. What would be great is an open source command line tool that has this level of summary to enable deployment or monitoring tests.

Examples of sites with broken security certificates

More articles: