New TLS certificate scanner

ShadowTrackr has been using the SSLLabs engine to scan certificates for a few years now. This has been performing consistently well until a few weeks ago.

First, performance started to drop. Then errors started appearing. Then, the errors (mostly false positives on trust issues) went away, but performance was still bad. Next, some errors reappeared again.

We strive to provide you a good service and could no longer do this with the SSLLabs engine. This weekend, the engine got swapped with a new one that is running entirely on our own servers. The SSLLabs grading scheme is still the best out there that we know of, so we do stick to that. And most of the other options are the same as well, including the reports.

Since we run the scans from our own servers now, more options are opening up. These will require some time to implement, but expect scans of certificates running on mailservers and other ports and some extra security checks somewhere in the next few months.

For now, all certificates have to be rescanned and we’ll likely have some fine-tuning to do. You might see less certificates in today’s weekly pdf due to this.

Improved software detection

The new port scanner module has been released to production this week. It’s better at port scanning and preventing trigger happy firewalls from messing up the scan results. Besides this it also has options to determine the actual software running on some common ports. Often the new scanner is able to detect which version is running too.

Most of you will be familiar with the software report showing you what software you expose to the internet and if any CVEs are known for that software. Up until now these results were based on websites scans only. With this update software found on other ports is added and you’ll have a more complete view of your attack surface.

To support searching software better we’ve also introduced the search options asset.software and host.software as addition too website.software. Clicking through from the software report page automatically uses assets.software to make sure you find all relevant results.

So, if you have new critical or high vulnerabilities in your weekly report, you now know where they come from.

Search software through the API

The reports section has an overview of the software our nodes have found on your assets. It contains a categorized list with tally of how often we found something. If the software version we found matches any CVEs you will see that too. It’s a handy overview of where you need to concentrate your patching and update efforts.

Last week a client had the idea of using that overview to create a dashboard, but there was no API endpoint for it yet. We fixed that, see the details here in the API documentation. To make this overview more useful the websites endpoint now also accepts a software parameter. This way you can get a list of al the websites running specific software.