Use sslscan To Assess The SSL Configuration Settings Of HTTPS Websites

Using sslscan in order to get certification information.

Background

SSL information is valuable for both offensive and defensive purposes. Assessing SSL information can be a part of the reconnaissance stage for an attacker, as attackers can exploit various vulnerabilities in outdated SSL versions (See heartbleed as an example). In addition, being able to assess current SSL settings allow defenders to ensure that they are securely configured.

SSLscan is a command-line tool that can be used to assess the SSL configuration settings of HTTPS websites. It can be used to scan for insecure ciphers, weak DH parameters, and other vulnerabilities.

A weak cipher suite vulnerability in SSL/TLS is a vulnerability that can be exploited when a weak cipher suite is used. A weak cipher suite is a cipher suite that uses a weak encryption algorithm.

Example of a secure page sslscan:

Monkeytype.com, with many security features such as certificates as well as Ciphers and Protocols.

Example of a non-secure page sslscan:

An example from a webpage I created, Much of it is not supported and there is no certificate as it is only HTTP rather than HTTPS