TLS 1.0 and TLS 1.1 certificate notifications

As some of you might have noticed, most TLS certificate scoring methods have started to downgrade certificates that still have TLS 1.0 and TLS 1.1. enabled. The one we use (SSLLabs) does this starting february.

For clients with large numbers of websites that have notifications enabled this resulted in so many notifications that we have temporarily blocked them. ShadowTrackr is supposed to be useful, not spammy. When the storm is over we’ll enable them again.

Please do upgrade your TLS certificates if you haven’t done so already. The major browsers are phasing out TLS 1.0 and TLS 1.1 support in this order:

Microsoft IE and Edge		First half 2020
Mozilla Firefox		March 2020
Safari/Webkit		March 2020
Google Chrome		January 2020

Search websites by keyword in title (Hi there Citrix!)

With all the Citrix and Pulse Secure troubles of lately we all want to be able to quickly find them. It turn out that most of these VPN servers actually explicitly state what they are in the website title. In the past weeks you might have seen several Censys or Shodan search queries to find Citrix or Pulse secure boxes on the internet.

Of course we immediately implemented this handy trick on ShadowTrackr and by now all websites we track have their title indexed. You can easily list all your Citrix servers with this query:

website.title:*netscaler*

After that just click export and either download or directly email the list to seurity operations and have them checked.

In beta: automated CVE checks on your software

Have you seen the software report on your assets? Well, it’s about to become more interesting. The software report shows you a list of all software that ShadowTrackr has detected on your systems. Such a list is useful to check if you’re running vulnerable or exploitable software.

But why check manually if automated vulnerability checks could be done ? That’s in beta now. We’re tracking all registered CVEs and match these against your software report. If CVEs are found they’re shown in the report and you can click them for more information.

The match is done based on information found in regular checks we run on your assets. We would never actively run a penetration test against your systems without a specific request and explicit prior approval.

Beta in this case means that we’re still figuring out the best way to do this. We don’t want to bury you in false positives. So, nothing is shown on your timeline, no alerts are sent and no mentions appear in the weekly (for now).