HTTPCSLeader européen de la cyber sécurité

Vulnerability in SSL Checkers

Vulnerability in SSL Checkers [EN]


Many services on the internet allow to check SSL Certificates. They display information about certificates and indicate if they are valid and well configured.

JavaScript Injection

ith OpenSSL library, it is easy to create a self-signed SSL Certificate with the information you want. You can thus create and install a fake SSL certificate like this one :

Fake SSL

Figure 1 : Fake SSL Screen

This certificate contains XSS injections in several fields. So the question is : what happens if you test this SSL Certificate with online checkers ?

This was tried a few days ago on several of these services, among the most famous :

1. SSL Cheker

SSL Cheker

Figure 2 : SSL Cheker

2. SSL Tools

SSL Tools

Figure 3 : SSL Tools

3. SSL Tools Go Daddy

SSL Tools Go Daddy

Figure 4 : SSL Tools Go Daddy

4. Go Get SSL

Go Get SSL

Figure 5 : Go Get SSL

5. SSL 2 Buy

SSL 2 Buy

Figure 6 : SSL 2 Buy

6. UK Fast

UK Fast

Figure 7 : UK Fast

7. Trust Ico

Trust Ico

Figure 8 : Trust Ico

8. Click SSL

Click SSL

Figure 9 : Click SSL

9. Comodo SSL Store

Comodo SSL Store

Figure 10 : Comodo SSL Store

These tools, which trust data present in certificates issued by SSL authorities, were vulnerable to XSS attacks with a self-signed certificate. They were quickly patched or set into maintenance.

HTTPCS Scanner screenshot desktop HTTPCS Scanner screenshot tablet HTTPCS Scanner screenshot phone