How to Kick-Start Https / SSL Testing – by @Santhoshst
Security Testing Tips: How to Kick-Start Https / SSL Testing
Often people love web applications with SSL. Even Google spiders love websites with HTTPS / SSL certificate. To help you understand better, SSL is nothing but HTTPS that you see while browsing some of the web application. Most of the testers does only one test for SSL and that is if HTTPS is visible in URL address bar or not. Well, that’s really cranky in my opinion as you need just pair of eyes in order to check it.
Where do we use SSL?
SSL or HTTPS need to be used for the web-pages where sensitive information exists. Example: Login form needs to be sent over the wire in encrypted form and HTTPS does it. If you enable HTTPS for static pages which are public, then it may slow down the performance, you don’t need HTTPS for displaying the public web-pages like contact us, about us etc.
Some of the pages where you need to use HTTPS?
Any web-pages which are private to logged in users session
Note: It is not only for web-pages, it could be for your client-server applications where data needs to be encrypted and the protocol used is HTTPS.
1. HTTPS should be enforced when tried to use HTTP for web-pages where the data needs to be transferred is confidential & needs encryption
2. Check for SSL certificate is from the trusted vendor
3. Check for SSL certificate consistency in different web browsers
4. Test for the BEAST attack where hackers or attackers may be able to decrypt the encryption.
5. Check if HTTP Strict Transport Security is enabled for your server.
Now, this is sufficient to start with SSL Testing. Advanced learning is the next step!
Quick tips for learning more about SSL
1. Try installing the self-signed certificate for your blog or website
2. Buy a certificate and try installing on your own. For learning purpose, even you may want to use Trial certificate license.
3. Understand your server, IP address, Port, Hostname, Issuer, Validation Type (Example: Domain Validation), Signature, Public Key etc. These are some of the terminologies that help you to understand SSL certificates better. Once you understand what these do, you may want to brainstorm or associate test for every entity.
I am going to stop here as anything more than this may be overflow or a bouncer for you. Last, but not least; it would be great if you get into network level learning and protocols level learning along with Cryptography! Finally, SSL is not a fool-proof solution. Security is like adding layers and you never get to know till someone exploits it.https://www.testingcircus.com/how-to-kick-start-https-ssl-testing/https://i1.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-8.png?fit=400%2C300&ssl=1https://i1.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-8.png?resize=150%2C150&ssl=1Security Testing TipsSecurity Testing TipsSecurity Testing Tips: How to Kick-Start Https / SSL Testing Often people love web applications with SSL. Even Google spiders love websites with HTTPS / SSL certificate. To help you understand better, SSL is nothing but HTTPS that you see while browsing some of the web application. Most of the testers...Santhosh TuppadSanthosh Tuppad[email protected]AuthorSanthosh Tuppad is the Cofounder & Software Tester of Moolya Software Testing Private Limited (www.moolya.com). He also won the uTest Top Tester of the Year 2010 apart from winning several testing competitions from uTest and Zappers. Santhosh specializes in exploratory testing approach and his core interests are security, usability and accessibility amidst other quality criteria. Santhosh loves writing and he has a blog http://tuppad.com/blog. He has also authored several articles and crash courses in the past. He attends conferences and confers with testers he meets. Santhosh is known for his skills in testing and you should get in touch with him if you are passionate about testing.Testing Circus
Latest posts by Santhosh Tuppad (see all)
- Writing exploits – Learn programming to build a strong report – by @Santhoshst - December 25, 2014
- Is Your Third-Party Integration Secure? – by @Santhoshst - November 15, 2014
- FAQs by Developers for Security Vulnerabilities Reported – by @Santhoshst - October 20, 2014