Security/Mentorships/MWoS/2014/Compliance checking of TLS configuration
My Name is Dimitris Bachtis and I am a Software Engineer and Information Security enthusiast. I live, work and study in Greece. I am now finishing my MSc in InfoSec at the University of Piraeus.
- Dimitris Bachtis
- Mozilla Advisor: Julien Vehent
Mozilla maintains guidelines for server side configurations of SSL/TLS that we use to guide the deployment of secure services everywhere. The goal of this project is to build a tool that verifies compliance of a service with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and Cipherscan, but mixed with a certificate observatory. Its purpose will be to help administrators reach a better security level, and measure compliance against Mozilla's policies.
The end goal is to have a service that can be called to run a full compliance check of a target. It should also have an API to retrieve data from, so that other tools can query the compliance checker platform.
- Performed Test Run on list of Sites.
- Unit Testing
- Start working for the second part of the tool ( TLS connection inspection )
- Decided on a rough ElasticSearch JSON "schema"
- Start collecting certificates...
- Decided to go with ElasticSearch ( instead of PostGres ) + Kibana for visualisation of Data
- build ElasticSearch prototype
- Discussed about DB schema
- Further discussion about SW Architecture
- rabbitmq prototype
- database schema draft
- Decided to go with Golang for certificate retrieval
- Postgres as database backend
- Evaluate conversion between x509 and json
- Evaluate existing tools: sslize, cipherscan, ...
- Evaluate different implementation languages ( Python, Go )