RapydBlok – 2020 in Review

“HTTPS & SSL doesn’t mean “trust this.” It means “this is private.” You may be having a private conversation with Satan.” – Scott Hanselman

Best wishes for the festive season from the RapydBlok team. 2020 hasn’t been the easiest year for most, but with all it’s challenges we have persevered. Well wishes for 2021 are in order.”

RapydBlok achieved some milestones this year including;

  • A new product, INSPECT Web App, that can inspect website https security – inspect.rapydblok.com
  • Fixed some bugs, added multi-threading for SCANS and improved on reporting and email delivery of results.
  • Introduced #ScanFriday, to encourage regular security scanning.
  • Gordon emigrated from Cape Town to Munich.

๐—›๐—ผ๐˜„ ๐—ฐ๐—ฎ๐—ป ๐—œ๐—ก๐—ฆ๐—ฃ๐—˜๐—–๐—ง ๐—ต๐—ฒ๐—น๐—ฝ ๐—บ๐—ฒ โ€“ Most websites have SSL certificates to secure web traffic, ๐—œ๐—ก๐—ฆ๐—ฃ๐—˜๐—–๐—ง will review the SSL certificate & web server configuration for any related issues and display the full results.

Summary of the common issues found during SSL scans;

It’s not secure enough to just install an SSL certificate, correct configuration is key!

  1. ๐™…๐™ช๐™จ๐™ฉ ๐™ž๐™ฃ๐™จ๐™ฉ๐™–๐™ก๐™ก๐™ž๐™ฃ๐™œ ๐™–๐™ฃ ๐™Ž๐™Ž๐™‡ ๐™˜๐™š๐™ง๐™ฉ๐™ž๐™›๐™ž๐™˜๐™–๐™ฉ๐™š ๐™ž๐™จ ๐™ฃ๐™ค๐™ฉ ๐™š๐™ฃ๐™ค๐™ช๐™œ๐™ ๐™ฉ๐™ค ๐™จ๐™š๐™˜๐™ช๐™ง๐™š ๐™๐™‡๐™Ž/๐™Ž๐™Ž๐™‡, it needs to be configured correctly on the web server & some web admins are unaware of this.
  2. ๐˜ฟ๐™š๐™ฅ๐™ง๐™š๐™˜๐™ž๐™–๐™ฉ๐™š๐™™ ๐™‹๐™ง๐™ค๐™ฉ๐™ค๐™˜๐™ค๐™ก๐™จ ๐™–๐™ง๐™š ๐™˜๐™ค๐™ฃ๐™›๐™ž๐™œ๐™ช๐™ง๐™š๐™™, mainly TLS 1 & TLS1.1 are offered in configuration but actually depreciated. Min of TLS v1.2 and TLS 1.3 should be offered.
  3. ๐™๐™จ๐™ž๐™ฃ๐™œ ๐™ค๐™—๐™จ๐™ค๐™ก๐™š๐™ฉ๐™š ๐™ค๐™ง ๐™ค๐™ก๐™™ ๐™˜๐™ž๐™ฅ๐™๐™š๐™ง๐™จ, for certificates often requires a review and Mozilla has some good recommendations on ciphers & client support.
  4. ๐™‘๐™ช๐™ก๐™ฃ๐™š๐™ง๐™–๐™—๐™ž๐™ก๐™ž๐™ฉ๐™ž๐™š๐™จ, if old or obsolete Ciphers and Protocols are used, it can generally lead to vulnerabilities being available for that host.
  5. ๐™Ž๐™š๐™˜๐™ช๐™ง๐™ž๐™ฃ๐™œ ๐™ฌ๐™ž๐™ฉ๐™ TLS 1.3 ๐™ค๐™ฃ๐™ก๐™ฎ, doesnโ€™t allow for all web clients to connect, especially older ones but most importantly Internet Explorer users cant connect.

Shoutout to the testssl.sh team, without them there wouldn’t be an INSPECT product

Keep watching this space in 2021, the RapydBlok team will keep pushing the limits and do some great releases.

 

All the best, Frรถhliche Weihnachten & Happy Holidays

Gordon Bishop – co-founder

August updates released for RapydBlok INSPECT

The RapydBlok team have been testing and finding ways to improve on the initial release, the below are updates released for RapydBlok INSPECT in August 2020;

[Scan to inspect website https security]

1: [New] – New option to receive results via email, email used once-off and not stored.
2: [Improve] – Option added to download full html report.
3: [Improve] – Multi-threading added for scans to improve scanning times.
4: [Bug Fixes] – Two minor bugs resolved.

[SCAN]https://inspect.rapydblok.com

5: [Listed] – RapydBlok INSPECT has been listed on https://github.com/drwetter/testssl.sh as an ‘External/related project’

RapydBlok INSPECT main page

RapydBlok INSPECT Web App is Live

RapydBlok is proud to announce that the ‘RapydBlok INSPECT’ product is finished and in production!

After many cups of coffee, weeks of planning, development & fine tuning, the team have produced a free web app to audit TLS/SSL configurations.

What is RapydBlok INSPECT?

INSPECT is a free Web application that can audit & report on TLS/SSL ciphers & protocols for configuration issues, cryptographic flaws, vulnerabilities, HTTP security headers. INSPECT is built upon the foundations of the open source, testssl.sh toolset.

How can that help me?

– Most websites have SSL certificates to secure web traffic, INSPECT will review your SSL certificate and web server configuration for any related issues and display the full results.

Run a SCAN: inspect.rapydblok.com

What are the common issues found so far?

1: Just installing an SSL certificate is not enough to secure TLS/SSL, it needs to be configured correctly on the web server & some web admins are unaware of this.

2: Depreciated Protocols are configured, mainly TLS 1 & TLS1.1 are offered in configuration but actually depreciated. Min of TLS v1.2 and TLS 1.3 should be offered.

3: Using obsolete or old ciphers, for certificates often requires a review and Mozilla has some good recommendations on ciphers & client support.

4: Vulnerabilities, if old or obsolete Ciphers and Protocols are used, it can generally lead to vulnerabilities being available for that host.

5: Securing only with TLS1.3, doesn’t allow for all web clients to connect, especially older ones but most importantly Internet Explorer users cant connect.

6: Host scanned multiple times, hosts are being scanned around 3 times on average, as configuration changes are done in small stages, and confirmed correct via re-scans.

 

Results page screenshots;

 

RapydBlok INSPECT Audit SSL

RapydBlok INSPECT Audit SSL

RapydBlok INSPECT Audit SSL

RapydBlok INSPECT Audit SSL

RapydBlok Inspect product is in active development

RapydBlok InspectRapydBlok Inspect logo

 

RapydBlok.com is current building a new product called โ€œInspectโ€. RapydBlok Inspect will be a free web application (webapp) that will be able to audit and report on hosts TLS/SSL ciphers and protocols for configuration issues, cryptographic flaws, vulnerabilities, HTTP security headers and more.

We will be building this service upon a solid foundation, using the open source testssl.sh toolset (https://testssl.sh) from Dr Wetter and team.

The RapydBlok Inspect product will not only offer a webapp but also an Application Programming Interface (API), which will allow 3rd party integrations.

Keep watching this space..