安全证书损坏的示例站点 [英] Example sites with broken security certs

问题描述

我想知道是否有人知道一个演示网站，它显示了HTTPS配置错误或损坏的不同情况。或者有没有人知道一个故意显示各种破坏/错误配置的HTTPS案例的网站？ ......如果没有，关于如何使用搜索引擎跟踪它们的想法如何？我正在寻找表现出破坏的https行为的网站，例如：

I'm wondering if anyone knows of a demo site which shows different cases where HTTPS is misconfigured or broken. Or does anyone know of a website in the wild that deliberately displays various broken / misconfigured HTTPS cases? ... If not, how about ideas on how to track them down with a search engine? I'm looking for sites which exhibit broken https behaviors, for example:

• 自签名证书


• Certificatewith invalid submainmain


• 过期证书


• 包含安全和不安全内容的页面


• 等。 ..

• Self-signed certificate
• Certificatewith invalid subdomain
• Expired certificate
• Page with secure and un-secure content
• etc...

我希望找到HTTPS可能配置错误的各种方法的完整列表，理想情况下可能是实例我可以用来磨练一个工具来抓取一个页面并告诉你它是否会产生任何浏览器安全错误。 （据我所知，没有这样的工具，没有人操作浏览器，任何人都知道一个？）

I'm looking to find a comprehensive list of the various ways that HTTPS can be misconfigured, and ideally perhaps live examples that I can use to hone a tool to crawl a page and tell you if it's going to produce any browser security errors. (As far as I know there is no such tool, short of a human operating a browser, anyone know of one?)

推荐答案

重温这一点。这是最近构建的一个很棒的在线工具： https://www.ssllabs.com/ssldb/analyze.html

Revisiting this. Here's a great online tool recently built: https://www.ssllabs.com/ssldb/analyze.html

例如
Paypal：
https：//www.ssllabs。 com / ssldb / analyze.html？d = https://paypal.com

钻入特定服务器时有更多详细信息。

There are more details when you drill into a specific server.

当问到这个问题时，我记得我正在寻找可以用来构建工具的资源，该工具可以自动检查ssl是否为某个给定网站正确配置;至少某个给定的网站不会在各种浏览器中显示各种ssl错误。然而，有许多类型的ssl / tls错误配置，并且许多浏览器以不同方式处理这些情况。如果浏览器要显示任何消息或任何给定的加密消息，预测100％是非常具有挑战性的。

When this question was asked I remember I was looking for resources I could use to build a tool that would automatically check if ssl was configured "properly" for a given site; at least that a given site was not going to display various ssl errors in various browsers. There are however many types of ssl/tls "misconfiguration" and many browsers handle the cases differently. Anticipating 100% if a browser is going to display any messaging at all or any given messaging about encryption is quite challenging as it turns out.

但这是一个很好的手动工具。最好的是具有此级别摘要的开源命令行工具，用于插入部署测试或监视。

But this is a good manual tool. What would be great is an open source command line tool that has this level of summary, for plugging into deploy tests or monitoring.

这篇关于安全证书损坏的示例站点的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！