48 comments

[ 3.7 ms ] story [ 129 ms ] thread
We built Snitch to make it simple and easy to get a handle on your SSL certificates. Our mission is to help people avoid getting blind-sided by SSL issues - losing customers, reputation and business in the process.

We've been working on this for a few months and would appreciate any feedback - thanks!

If anyone wants to email me directly it is my username at currylabs.com or gmail.com

PS: If you are an Open Source project we offer free subscriptions.

Who's "we"? You need an about page.
Great idea, will definitively check it out.

Where are you incorporated, if? The terms says nothing about it. Who is my contract party when I signup?

Thanks for the feedback.

We're in Oakland, California.

You do more than that but really the CA should handle alerts about expiring certificates. They have full knowledge of all certificates, and contact to the responsible party.
true but then you need to actually renew it amd then install it....too many times tickets are filed but get put at the bottom of this list until last minute, or worse a customer reports the nasty browser security warning page

though i do wonder if "this is a feature, not a company"?

Thanks for the feedback.

We're constantly improving and rolling out new features. We're confident that over your question will become less of a question :-)

I think you're trying to solve a non-problem since the company that sells the certificates warns you (sometimes even more than those intervals), afterall, they want you to renew as well. As for checking for quality, that should be the sys admin task or the webmaster. good luck though!
Perhaps a non-problem for startups, but it's definitely a problem for bigger companies where the group that purchases certs may not be the one using them...
I would think that bigger companies would use dedicated IT staff over a start-up for something crucial like SSL cert checking.
Given that Microsoft and Amazon have both had their SSL certs for their cloud businesses expire, a little extra reminding probably can't hurt.

That said, I wouldn't pay for a service like this from a random person, I'd have my registrar do it (MarkMonitor or similar -- that's why they're paid the big bucks).

Thanks for the feedback and thoughts, aroch.

Can I ask why you wouldn't pay a "random person" as you say - since this information is by definition public?

Can you tell me a bit about your experience using MarkMonitor to do this?

I don't see the value in paying someone and then trusting them with something (as you say) important to my business when they have no track record.

For my personal set of servers (some 25-30, with ~50 SSL certs), I have Nagios for monitoring them plus calendar alerts, SMS alerts and sane cycling (everything expires in the same month).

My employer is an intermediary CA, they can issue their own certs but I've worked with people who use Markmonitor. As part of buying your cert through them is they worry about making sure your domains stay protected. They'll call you, text you and even mail you reminders. And they have a proven track record dealing with companies that are collective worth trillions.

[Full disclosure - I've been beta testing snitch and been very happy with it].

In an old job for a mid-level bank, we had many behind the scenes (never showed up as a green padlock in any browser) integrations that would quit working when certs expired, frequently ones that we didn't purchase or control.

At the time, it was definitely worth it to me to get some notice before that happened. And it can be easier to plonk down a credit card than work though internal processes to have nagios (or patrol express, <shudder>) do the monitoring. It's the same thing that makes pingdom valuable.

Thanks for your feedback but I strongly disagree and I think recent history supports that CAs don't do much for you once they've collected your payment.

CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production.

I've bought multiple certificates from different reputable vendors - I only ever got one Heartbleed notice. (This pattern repeats itself)

Many shops don't have a dedicated admin / webmaster auditing their certificates and even those that do have had public issues (Akamai, Apple, GitHub, Stripe...etc)

The value in a service like Snitch is that we worry about your SSL certificates. Many people don't have the interest or time in rolling their home grown monitoring of this stuff...

"CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production."

You have valid points, my advice would be to make that part of the message as clear as possible. as a sys admin I could be a potential customer but then again, I already have to worry about certs I implement.

Thank you for that feedback! It is very valuable to hear that I didn't message this effectively - I'll work on improving that.

I'd love to chat more out-of-band - would you mind emailing me (this username at currylabs.com or gmail.com)

I let a RapidSSL cert lapse lately. They sent me 11 emails about it. They were really rather insistent:

    Early bird special: Renew your <website> to save
    Keep <website> Secure, renew your SSL
    Last chance to save: Your <website> is expiring
    ACTION REQUIRED: Your SSL needs attention
    FINAL NOTICE: Your SSL expires tomorrow
    LAST CHANCE: Your SSL expires today
    SECURITY ALERT: Your <website> may not be secure
    ACTION REQUIRED: Your SSL needs attention
    SSL EXPIRED: Renew to rescue
    CALL US: SSL for <website> is expired
    Your last SSL expiration notice for <website>
I was actually relieved when they finally stopped mailing me...
(comment deleted)
Cool idea. I had the same idea back when Heartbleed was in full swing. Nice to see that someone has actually executed the idea. Bravo!
There are various implementations of the same idea out there and they've been there for long.

In any case, very nice execution on the front end. Good job.

Thank you!

We're constantly improving and adding extra checks.

Thank you for the kind words!
Great idea, will certainly give it a try.

Not a big fan of pricing plans that mix volume with features, always makes me feel I'm being screwed when I only need one or the other. (Even though I might be perfectly fine with paying the same amount if the pricing structure was different.)

how do you mean? this is SaaS, and charging for resource magnitudes is the only actual fair way in order to get some transparency.
Thank you for the feedback!

Definitely something we'll consider. Email me if I can help out in any way! hn username at currylab.com / gmail.com

Better off using your own solution with Nagios or something similar.
$10 a month for one certificate seems kind of expensive, considering a script with openssl can do the same thing for free.

And only 25 for enterprise? Our midsize business is currently using 416 certs.

Can I ask how you've created 416 certificates for a mid size company? Holy shit, lol.

Unless those include SMIME certs, but still...

Lots of internal web services, web servers, VM hosts, MQ channels, LDAP stores, etc (times 5, for different platforms and locations). Everything gets a cert, haven't been using wildcards. Lots of internal signed certs, but they suffer the same problems that this service is trying to solve.
Thank you for the feedback - interesting to hear that your midsize business generated 416 certs.

We do more than you can do by scripting OpenSSL. For example: as far as I know OpenSSL won't warn you if your certificate is signed using SHA1 - one of new several features we're about to push out.

More generally scripting OpenSSL requires knowledge, time and infrastructure many people aren't able or willing to invest (what is monitoring the monitor...)

Idea is great, but pricing seems a bit expensive.

Have >25 certs? Add this check to Nagios: http://exchange.nagios.org/directory/Plugins/Network-Protoco...

Saved you $200/month :)

Yeah especially since some people offering this same service for free

http://voodooalerts.com/free

Sorry, but that is not factually correct.

These are very different services.

Voodooalerts requires you to place JS on your page. Because of this I am sure they cannot run the full suite of audits that Snitch does.

No, Voodoo Alerts FREE has no JS. Its a server ping just like Pingdom or this service, except its free.

The full paid version of Voodoo Alerts requires JS to be installed but that is for RUM alerting

Edit: you're right about it not doing everything that snitch.Io does, but saving $10 a month on simple alerting sounds good to me

Thank you for visiting Snitch.io. Unfortunately, your statements are still not correct.

I signed up for a free account on VA and put in a site with a revoked SSL certificate. It has not generated an alert. It has been over 12 hours. It is still prompting me to insert the JS on my site, by the way.

As to your second point. Snitch isn't simple alerting.

It runs a full range of tests on an SSL certificate: checking for expiration, checking for revocation, checking that all of the intermediate certificates have not been revoked, checking the certificate is valid for the domain (including SNI), checking that the certificate isn't signed with a weak algorithm such as SHA-1 that Chrome is about deprecate, checking that the certificate has not been changed (incorrect server config, malicious intent...)

Snitch is not targeted at people who just need to know if their site is up or down.

If you are are a business and users browsing to your site get a big red warning in their browser because your SSL certificate is expired/revoked/weak/misconfigured - that is a problem and you lose money. That is what Snitch is addressing.

I should have mentioned that I am in the beta for VA and that feature doesn't open up until next week for all users.

In fact I'm probably breaking terms mentioning it...

Thanks for the clarification.

I was wondering if you were also going to mention that you are VoodooAlerts' founder?

I, personally, think it is poor form to advertise features that don't exist while pretending to be a customer of VoodooAlerts.

I wish you the best of luck with VoodooAlerts!

https://twitter.com/Leesfer

Being a #2 employee isn't exactly a founder, now is it?

Good luck in this field, it's competitive :)

I use and really like http://wormly.com.

Their monitoring includes SSL cert validity, among many other things.

This is seems potentially quite useful. It would be nice if it could also notify you if your server is not configured according to best practices in terms of things such as protocol versions and cipher suites.
Thanks for the feedback!

That is definitely on the roadmap and will go out soon.

I think this is a brilliant idea, and seeing what you've built I'm sort of kicking myself for not having acted on the same idea. It's the sort of thing that is feasible for a company to do on their own but is difficult enough that it is very seldom done.
Thank you for the kind words, msane.
Considering you can get much of this functionality from programs created by CAs (for example, https://www.digicert.com/cert-inspector.htm from my CA), this seems... way too expensive.
(comment deleted)
There are some pretty crucial and obvious differences between these two products.

Does DigiCert provide any guarantees on how often they monitor your certificates? Do they offer any alert mechanisms other than email? Do they let you monitor certificates that are on your critical path but not necessarily ones you own (partners...etc)

You also mention cost..but since you are not paying them you are not their customer - you are their product.

Snitch is clearly aligned with customers since our goal is to help you succeed at securing your site. Our goal is to make it easy for you (site owner) to do the right thing and provide a good experience to your customers.