tags:

views:

94

answers:

5
+4  Q: 

Example sites with broken security certs

I'm wondering if there are any demo sites which show different cases where HTTPS is misconfigured or broken. Or does anyone know of websites in the wild that display various broken / misconfigured HTTPS cases? ... Perhaps ideas on how to track them down with a search engine? I'm looking for sites which exhibit broken https behaviors, for example:

  • Self-signed certificate
  • Certificatewith invalid subdomain
  • Expired certificate
  • Page with secure and un-secure content
  • etc...

I'm looking to find a comprehensive list of the various ways that HTTPS can be misconfigured, and ideally perhaps live examples that I can use to hone a tool to crawl a page and tell you if it's going to produce any browser security errors. (As far as I know there is no such tool, short of a human operating a browser, anyone know of one?)

+2  A: 

rt.cpan.org is an example of a self-signed certificate.

Kinopiko  2009-11-10 01:57:19
+1  A: 
perrierism  2009-11-10 02:48:58
verisign auto forwards so it doesnt' really matter.
Chris Lively  2009-11-10 03:11:17
verisign: I get redirected to www.verisign.com immediately.
Thilo  2009-11-10 03:11:43
+1  A: 

https://pause.perl.org/

mobrule  2009-11-10 03:00:38
+1  A: 

These may change but they currently reflect various certificate problems:

Intermediate certificate not installed: http://www.sslshopper.com/ssl-checker.html?hostname=secure.donauversicherung.at

Exact hostname not in certificate: http://www.sslshopper.com/ssl-checker.html?hostname=1stsource.com

Expired certificate: http://www.sslshopper.com/ssl-checker.html?hostname=secure.garthbrooks.com

Self-signed certificate: http://www.sslshopper.com/ssl-checker.html?hostname=www.mjvmobile.com.br

Certificate with an MD5 signature: http://www.sslshopper.com/ssl-checker.html?hostname=www.mtsindia.in

Robert  2009-11-10 15:29:34
+2  A: 

For those interested to know more about ssl under the covers, this page is very well worth a read http://www.moserware.com/2009/06/first-few-milliseconds-of-https.html

Cheekysoft  2009-11-10 16:04:05

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security