When dealing with HTTPS endpoints that I managed, I often found myself turning to online scan providers including SSL Labs to manually carry out testing of these endpoints. This required me to A), Remember to periodically scan those endpoints and B), Have the free time required to scan all the endpoints.
With the release of the public API’s from SSL Labs it sparked an idea within me and I set about creating a .NET wrapper* for the API which I released to GitHub as an open source project and also as a NuGet package for ease of use.
Introducing SSL Notifications
The .NET wrapper was the first* stage in creating a free TLS/SSL notification service for your servers security status, which I’ve now released in beta called SSL Notifications and can be accessed via https://sslnotifications.com. (Yes, of course the service is using TLS… Thanks @Cloudflare and @Azure).
SSL Notifications provides an automated way to periodically receive notifications regarding your TLS / SSL servers security status including vulnerability and certificate information. All this is available through a free subscription which only requires a valid email address and the domain name of the endpoint you’d like scanning.
So what’s with the asterisk’s (*) next to mention of the API wrapper, good question. Sadly when I approached Qualys SSL Labs before launching the beta service, my usage of their API was rejected for two reasons:
- I apparently didn’t meet their usage criteria of the API.
- They also have tentative plans to build similar features directly into their offering and didn't want to support a competing offering.
Getting my request for usage of their API rejected was a huge shame and a knock back to my service, especially as I though this would be a great addition for the community. Nonetheless though, I have pushed forward and implemented another backend scan provider for the SSL Notifications service (though I have left the Qualys SSL Labs implementation there and ready to go, just in case they change their mind :) ).
I’ll publish more information to my blog and the site at a latter date on the full list of items checked, but rest assured this includes vulnerabilities such as POODLE, Heartbleed and Logjam. Simply sit back and simply let the notifications come to you!
So why did I write SSL Notifications then? Well as I’ve briefly tried to explain, I wanted to resolve the two issues I was experiencing, which thinking back were remembering to scan my endpoints and also having the time to conduct those manual scans. So with my DevOps style hat on, I set about creating the service your reading about now, SSL Notifications.
Also I thought too, why only write the solution for myself, what about the community too?!
Another personal point to the project was that I wanted to stretch my feet a little with both Azure and new technologies that I hadn’t previously used myself in production applications, including Entity Framework to name only one. It’s certainly been a learning curved that I’ve enjoyed!
The service is only in beta but I have many more features planned, so don’t take my word for it, go sign-up for your FREE subscription(s) now!
All feedback is welcome and encouraged, especially as I’m writing this service with the community in the forefront of my mind. Hope you enjoy!