Andres,
>> I plan to add a few small checks and improvements into >> audit.sslCertificate plugin. Among them: >> >> * support of DNS alt names >> * checking for *soon* expired certificates > > I like the second point very much! Great :) > >> So do you have any ideas what we also need to add to this plugin? > > Yesterday / a couple of days ago, someone published a new tool in > full-disclosure, written in python, GPL3, (don't remember the name) > which main objective was to check for SSL certificates. Maybe you can > take some ideas from that tool? Remember that gpl3 and gpl2 are > incompatible so we can't simply copy+paste stuff Do you mean sslyze [0]? I will review it for ideas. >> One more question is why do we consider ssl errors as information and >> not as vulnerabilities? I suggest to raise severity of SSL errors to >> vuln object. > > If it is a vulnerability, it's of the lowest severity IMHO. No problem, let it be lowest. I suggest it because, imho, information about web server like server's banner is not on the same level with e.g. expired SSL certificate. The last one is real security problem. [0] http://code.google.com/p/sslyze/ -- Taras http://oxdef.info ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ W3af-develop mailing list W3af-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/w3af-develop
