We recently added a feature in Vega: probing HTTPS server configuration settings for issues that have implications for user and application security.
Vega now attempts to detect and will alert on the following issues:
- SSLv2, SSLv3 (POODLE) support
- Certificate analysis: SHA-1, MD5, key size
- Server/client ciphersuite preference
- Forward secrecy support and prioritization
- RC4
- Cipher suite enumeration
- Identifcation of weak / export grade cipher suites, anonymous Diffie-Hellman
- TLS compression (susceptibility to CRIME attacks)
The probes occur before the crawler is started and will run for every HTTPS server target. Full details on the HTTPS audit will be output to the console after the probes have finished running.
This is still a work in progress, so consider it a beta release. The Vega HTTPS server configuration probing will be more comprehensive, reliable, and configurable in the future.