Google develops tool to test SSL implementations

Security researchers at Google have introduced an open source tool that allows users to test whether their software is vulnerable to known vulnerabilities in SSL deployments. The tool does require some knowledge to be installed.

The tool attempts to perform man in the middle attacks on connections. Users need to install the tool on a server and configure the device they want to test to use the tool as a vpn, router or proxy. If the device is vulnerable to known security vulnerabilities in SSL implementations, the tool will sound an alarm.

Google has called the tool “nogotofail,” a reference to a serious security vulnerability in OS X and iOS that surfaced early this year. In addition, it was possible to discover the content of https traffic, if an attacker was able to intercept the network traffic. The security issue was caused by the text ‘goto fail’ being placed twice where it should have been only once. As a result, a server where the code should have raised the alarm was still trusted.

The tool also tries to serve SSL certificates for domains other than the visited domain. Software that does not check whether a served ssl certificate belongs to a certain domain, will fail here. That is something that happened to ING, among others: an old version of that bank’s mobile banking app did not check the certificate, allowing an attacker to present his own certificate to his victim.

If you want to install the tool, you can get the code from Github. The tool works best on Linux, and users will have to arrange SSL certificates themselves to enable the tool to generate fake SSL certificates. Also, users of the tool will need to be familiar with the command-line on Linux.