🤓
TurvSec Wiki
  • 👨‍💻Who is Mr Turvey
  • Blogs and Notes
    • Techie Blogs
      • Troubleshooting Nessus
      • Bypassing CAPTCHA
      • How to Proxy Linux Traffic
    • Miscellaneous Blogs
      • PSD2 and Open Banking
      • Cheap Pen Testing
      • Top 10 Pen Testing Tools
      • Scoping Web Applications
  • Web App Testing
    • 🌍Content Discovery
      • 🔎Subdomain Enumeration
      • 📃Dir & Page Enumeration
    • 💉Injections
      • CSV Injection
    • 🕸️JSON WEB TOKENS
    • 🔏Testing SSL/TLS
    • 📮Testing APIs with POSTMAN
  • Offensive Security
    • 🎣Phishing with Evilginx2
    • 🔐WPA2 Cracking
  • Physical Security
    • 👨‍✈️Social Engineering
  • Tools
    • Burp2API - BurpSuite to JSON
    • allthewayback - Search Wayback
    • Thicc - Thick App Testing Aid
Powered by GitBook
On this page
  1. Web App Testing

Testing SSL/TLS

How to review TLS configurations.

PreviousJSON WEB TOKENSNextTesting APIs with POSTMAN

Last updated 1 year ago

Personally, I find the best tool for reviewing TLS protocols and ciphers is

However, you could also use this public web application to do it:

TestSSL is very easy, you simply use the following command with the hostname you're testing:

testssl google.com

TestSSL will firstly show you any SSL/TLS protocols that are enabled on the server. These protocols are what setup and enable the encryption mechanisms to function.

These days, all SSL protocols and TLS 1.0 should NEVER be enabled as they are very weak.

TLS 1.1 is not recommended either but is normally enabled to support legacy systems. If this is not a worry for you, then disable TLS1.1 and use TLS1.2. Better yet, use TLS1.3.

The next thing TestSSL presents is the enabled cipher sets per SSL/TLS protocol. Ciphers are the entities that determine how the data in transit is encrypted. Some configurations are weak:

An example weak 3DES cipher can be viewed via the URL below:

This page shows all the reasons why this cipher should not be used:

This website also presents the current recommended ciphers that should be enabled:

If you would like to see this in action, take a look at the video below:

Ciphers can be weak because they use various components that have known vulnerabilities. For example, any cipher that uses 3DES as the encryption algorithm (shown above) is weak due to known timing attack against the algorithm and leads to data decryption. There are many reasons a cipher may be vulnerable and thus, the best way to check this is by using

🔏
ciphersuite.info
https://ciphersuite.info/cs/TLS_RSA_WITH_3DES_EDE_CBC_SHA/
TestSSL
ssllabs
Testing TLS video.
Enabled SSL/TLS protocols
Testssl Ciphers Output
Weak cipher information.
Recommended ciphers.