4 May, 2020

Quttera's SSL Validation API and How It Helps Monitor Web Resources

The Quttera SSL validation API, part of its website malware scanner API, provides a simple way for software to check whether a site has proper SSL protection.
It isn't mandatory for a website to use secure SSL (HTTPS) communication, but ones that don't face important problems. Browsers issue warnings that they may be unsafe. Search engines downgrade them in their rankings. Interactive sites that use plain HTTP pose a security risk. The Quttera SSL validation API, part of its website malware scanner API, provides a simple way for software to check whether a site has proper SSL protection.
What is SSL?
The term SSL stands for "Secure Sockets Layer." Technically, it's obsolete. The modern version of the protocol is called TLS, for "Transport Layer Security." However, the term SSL has stuck in everyone's minds, especially when used for the digital certificates that the protocol relies on. You can use either term.

Whatever you call it, it's a way for a Web client to communicate securely with a server. Almost everything is strongly encrypted in both directions. The one exception is the domain name; it has to be in plain text so that routing systems know where to send the data. A "handshake" sets up encryption keys for both sides when initiating a session.

Internet communication often goes through untrusted relay points. SSL keeps them from intercepting any confidential data, such as credit card numbers and passwords. It keeps them from impersonating a website.
Why Do You Need SSL?
Users expect secure communication when they give confidential information to a website. Using SSL supports website security in three ways:
  • Confidentiality. When SSL does its job, no one can read the data as it travels over cables or airwaves. Users are safer from hacking and identity theft since no one can grab their financial information or login credentials.
  • Authentication. With plain HTTP, a node along the path can impersonate the one the user is trying to reach. It can replace or alter the data the user receives. SSL prevents this.
  • Trust. Users will see an HTTPS URL and a padlock icon in their browser when they access a secure site. This tells them that their data will be protected in transit against hacking and that they're really accessing a site belonging to the domain holder.
Why Do Browsers Warn Users Against Non-SSL Sites?
Modern browsers actively discourage users from trusting sites that don't have SSL protection. If a site just delivers static data, the browser normally won't warn the user, but if it asks for data, the browser will present an ominous warning that the site isn't secure. Users can continue, but a lot of them won't. That means a loss of business.

This is especially important for e-commerce. Data thieves look for chances to intercept credit card and bank account information. PCI compliance requires using secure communication.

The SSL certificate has to be not only installed but properly set up. The protocol depends on a chain of trust; to be worth anything, a certificate needs to be digitally signed by a valid signing authority. A certificate can be self-signed for testing, but it has no real value.

To reduce the chance of certificates being stolen, they are valid only for a limited time. An expired certificate will trigger a browser warning. They also have to be specific to the domain they represent. Configuration errors in shared hosting will sometimes make a certificate appear invalid.
The Types of SSL Certificates
A certificate is a file encoded in base64 form, looking like a meaningless series of letters and digits. The format is known as X.509. It's installed on the server and has to be strictly protected against unauthorized access. Certificates are available in three levels of validation:
  • Domain Validation (DV): The certification process shows that the certificate holder controls the domain being protected, but nothing more than that. This is the most common type of certificate, and all free certificates fall in this category.
  • Organization Validation (OV): In addition to domain validation, this level verifies that the domain belongs to a legitimate business.
  • Extended Validation (EV): Additional checks confirm that the certificate holder has authorized the certificate, matches official records, and has the exclusive right to the domain name.
NOTE: Self-signed certificates have no validation at all.
All certificates include signing information (if any) and their issuance and expiration dates. Browsers will provide additional information on a site with an OV or EV certificate.
The Quttera SSL Validation API
Quttera's SSL validation API is a subset of its website malware scanner REST API. It checks whether a site has a valid and current SSL certificate. The default format for responses is JSON; it can return XML or YAML if preferred.

The API will initiate a query to determine if a specified domain has a valid SSL certificate. If it has one, the site supports encrypted communication. Second, It checks whether the certificate is expired. A server can use an expired or self-signed certificate, but it's less trustworthy and will trigger browser warnings.

By performing these checks, the API verifies whether a website is safe for sending and receiving sensitive information. You can run it on your own site to make sure your certificate is properly set up and current, or you can use it to determine that another site is secure. Either way, it helps to keep your business safe.

The client issues standard REST GET or POST requests. The following requests make up the API:
  • SSL Scan (POST): Issues an asynchronous request for a domain's SSL certificate. If information no more than 15 minutes old is available from a previous call, it will return it immediately.
  • SSL Status (GET): Returns the status of the current SSL Scan request. If there is no request, it will return a 404 (not found) status. The returned value will be NEW, SCAN, SCANNED, or DONE.
  • SSL Report (GET): Returns the information from a prior SSL Scan.

The information in the report includes the name of the certificate authority, the expiration date and status, and the date the certificate was issued. If there was a problem with the request, it will give an error code and description. The report will follow this pattern:
The Quttera API program offers flexible partnership plans. The APIs work with both cloud and on-premises applications. You can set up scans to meet your business needs and confirm that all the domains you rely on provide secure communication.