Security/Mentorships/MWoS/2014/Compliance checking of TLS configuration: Difference between revisions

Team

Introduction

My Name is Dimitris Bachtis and I am a Software Engineer and Information Security enthusiast. I live, work and study in Greece. I am now finishing my MSc in InfoSec at the University of Piraeus.

Members

• Dimitris Bachtis
• Professor
• Mozilla Advisor: Julien Vehent

Project

Description

Mozilla maintains guidelines for server side configurations of SSL/TLS that we use to guide the deployment of secure services everywhere. The goal of this project is to build a tool that verifies compliance of a service with our guidelines, and help the administrators improve their security. The tool must be able to evaluate the quality of ciphers, detect required features such as OCSP stapling, and evaluate certificates. It is very similar in philosophy to project like SSL Labs and Cipherscan, but mixed with a certificate observatory. Its purpose will be to help administrators reach a better security level, and measure compliance against Mozilla's policies.

The end goal is to have a service that can be called to run a full compliance check of a target. It should also have an API to retrieve data from, so that other tools can query the compliance checker platform.

Scope

Success Criteria

Updates

9/10/2014

• Decided on a rough ElasticSearch JSON "schema"

ToDo:

• Start collecting certificates...

9/10/2014

• Decided to go with ElasticSearch ( instead of PostGres ) + Kibana for visualisation of Data

ToDo:

• build ElasticSearch prototype

2/10/2014

• Discussed about DB schema
• Further discussion about SW Architecture

ToDo:

• rabbitmq prototype
• database schema draft

11/09/2014

• Decided to go with Golang for certificate retrieval
• Postgres as database backend

ToDo:

• Evaluate conversion between x509 and json

03/09/2014

KickOff Meeting

• introductions

ToDo:

• Evaluate existing tools: sslize, cipherscan, ...
• Evaluate different implementation languages ( Python, Go )