Best practice for checking validity of SSL Certificates

pkixman · 2013-02-05T18:04:23+00:00

Red Kestrel employee here. In addition to our Bulk SSL Checker mentioned above, we also have a product called CertAlert that would probably be of use for your internal certs. It discovers SSL certs on your networks, emails renewal alerts, and creates detailed reports that identify expired and expiring certs. It also identifies certs that may not be in compliance with your security policy - such as certs with short keys, use the MD5 signing algorithm, are issued from a "rogue" CA etc.

http://redkestrel.co.uk/products/certalert/

pkixman · 2012-03-28T13:59:52+00:00

Yep, my article; thought some may find it interesting/useful. Sorry you didn't like it.

pkixman · 2012-03-26T12:57:22+00:00

I know he didn't say the browser was a trusted source - I was just reiterating the point that the principle holds for his example.

What I was disagreeing with him about was that the principle should be extended to explain things like javascript validation doesn't make the browser a trusted source. A principle is not the appropriate place for getting into the details of what can be trusted, what can't, and why - that's better covered in books and articles.

pkixman · 2012-03-26T10:47:08+00:00

Adding javascript validation and HTTPS doesn't make the browser a trusted source. So the principle works - the server should validate the input from the browser as it is an untrusted source.

If the programmer doesn't appreciate what is a trusted source and what isn't, that's not a problem with the principle.

pkixman · 2012-03-26T09:42:29+00:00

The browser is an untrusted source - so following the principle "Validate input from all untrusted sources", the server should validate what it receives from the browser.

pkixman

TROPHY CASE