We built Snitch to make it simple and easy to get a handle on your SSL certificates. Our mission is to help people avoid getting blind-sided by SSL issues - losing customers, reputation and business in the process.
We've been working on this for a few months and would appreciate any feedback - thanks!
If anyone wants to email me directly it is my username at currylabs.com or gmail.com
PS: If you are an Open Source project we offer free subscriptions.
You do more than that but really the CA should handle alerts about expiring certificates. They have full knowledge of all certificates, and contact to the responsible party.
true but then you need to actually renew it amd then install it....too many times tickets are filed but get put at the bottom of this list until last minute, or worse a customer reports the nasty browser security warning page
though i do wonder if "this is a feature, not a company"?
I think you're trying to solve a non-problem since the company that sells the certificates warns you (sometimes even more than those intervals), afterall, they want you to renew as well.
As for checking for quality, that should be the sys admin task or the webmaster.
good luck though!
Perhaps a non-problem for startups, but it's definitely a problem for bigger companies where the group that purchases certs may not be the one using them...
Given that Microsoft and Amazon have both had their SSL certs for their cloud businesses expire, a little extra reminding probably can't hurt.
That said, I wouldn't pay for a service like this from a random person, I'd have my registrar do it (MarkMonitor or similar -- that's why they're paid the big bucks).
I don't see the value in paying someone and then trusting them with something (as you say) important to my business when they have no track record.
For my personal set of servers (some 25-30, with ~50 SSL certs), I have Nagios for monitoring them plus calendar alerts, SMS alerts and sane cycling (everything expires in the same month).
My employer is an intermediary CA, they can issue their own certs but I've worked with people who use Markmonitor. As part of buying your cert through them is they worry about making sure your domains stay protected. They'll call you, text you and even mail you reminders. And they have a proven track record dealing with companies that are collective worth trillions.
[Full disclosure - I've been beta testing snitch and been very happy with it].
In an old job for a mid-level bank, we had many behind the scenes (never showed up as a green padlock in any browser) integrations that would quit working when certs expired, frequently ones that we didn't purchase or control.
At the time, it was definitely worth it to me to get some notice before that happened. And it can be easier to plonk down a credit card than work though internal processes to have nagios (or patrol express, <shudder>) do the monitoring. It's the same thing that makes pingdom valuable.
Thanks for your feedback but I strongly disagree and I think recent history supports that CAs don't do much for you once they've collected your payment.
CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production.
I've bought multiple certificates from different reputable vendors - I only ever got one Heartbleed notice. (This pattern repeats itself)
Many shops don't have a dedicated admin / webmaster auditing their certificates and even those that do have had public issues (Akamai, Apple, GitHub, Stripe...etc)
The value in a service like Snitch is that we worry about your SSL certificates. Many people don't have the interest or time in rolling their home grown monitoring of this stuff...
"CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production."
You have valid points, my advice would be to make that part of the message as clear as possible. as a sys admin I could be a potential customer but then again, I already have to worry about certs I implement.
I let a RapidSSL cert lapse lately. They sent me 11 emails about it. They were really rather insistent:
Early bird special: Renew your <website> to save
Keep <website> Secure, renew your SSL
Last chance to save: Your <website> is expiring
ACTION REQUIRED: Your SSL needs attention
FINAL NOTICE: Your SSL expires tomorrow
LAST CHANCE: Your SSL expires today
SECURITY ALERT: Your <website> may not be secure
ACTION REQUIRED: Your SSL needs attention
SSL EXPIRED: Renew to rescue
CALL US: SSL for <website> is expired
Your last SSL expiration notice for <website>
I was actually relieved when they finally stopped mailing me...
Not a big fan of pricing plans that mix volume with features, always makes me feel I'm being screwed when I only need one or the other. (Even though I might be perfectly fine with paying the same amount if the pricing structure was different.)
Lots of internal web services, web servers, VM hosts, MQ channels, LDAP stores, etc (times 5, for different platforms and locations). Everything gets a cert, haven't been using wildcards. Lots of internal signed certs, but they suffer the same problems that this service is trying to solve.
Thank you for the feedback - interesting to hear that your midsize business generated 416 certs.
We do more than you can do by scripting OpenSSL. For example: as far as I know OpenSSL won't warn you if your certificate is signed using SHA1 - one of new several features we're about to push out.
More generally scripting OpenSSL requires knowledge, time and infrastructure many people aren't able or willing to invest (what is monitoring the monitor...)
Thank you for visiting Snitch.io. Unfortunately, your statements are still not correct.
I signed up for a free account on VA and put in a site with a revoked SSL certificate. It has not generated an alert. It has been over 12 hours. It is still prompting me to insert the JS on my site, by the way.
As to your second point. Snitch isn't simple alerting.
It runs a full range of tests on an SSL certificate: checking for expiration, checking for revocation, checking that all of the intermediate certificates have not been revoked, checking the certificate is valid for the domain (including SNI), checking that the certificate isn't signed with a weak algorithm such as SHA-1 that Chrome is about deprecate, checking that the certificate has not been changed (incorrect server config, malicious intent...)
Snitch is not targeted at people who just need to know if their site is up or down.
If you are are a business and users browsing to your site get a big red warning in their browser because your SSL certificate is expired/revoked/weak/misconfigured - that is a problem and you lose money. That is what Snitch is addressing.
This is seems potentially quite useful. It would be nice if it could also notify you if your server is not configured according to best practices in terms of things such as protocol versions and cipher suites.
I think this is a brilliant idea, and seeing what you've built I'm sort of kicking myself for not having acted on the same idea. It's the sort of thing that is feasible for a company to do on their own but is difficult enough that it is very seldom done.
Considering you can get much of this functionality from programs created by CAs (for example, https://www.digicert.com/cert-inspector.htm from my CA), this seems... way too expensive.
There are some pretty crucial and obvious differences between these two products.
Does DigiCert provide any guarantees on how often they monitor your certificates? Do they offer any alert mechanisms other than email? Do they let you monitor certificates that are on your critical path but not necessarily ones you own (partners...etc)
You also mention cost..but since you are not paying them you are not their customer - you are their product.
Snitch is clearly aligned with customers since our goal is to help you succeed at securing your site. Our goal is to make it easy for you (site owner) to do the right thing and provide a good experience to your customers.
48 comments
[ 3.7 ms ] story [ 129 ms ] threadWe've been working on this for a few months and would appreciate any feedback - thanks!
If anyone wants to email me directly it is my username at currylabs.com or gmail.com
PS: If you are an Open Source project we offer free subscriptions.
Where are you incorporated, if? The terms says nothing about it. Who is my contract party when I signup?
We're in Oakland, California.
though i do wonder if "this is a feature, not a company"?
We're constantly improving and rolling out new features. We're confident that over your question will become less of a question :-)
That said, I wouldn't pay for a service like this from a random person, I'd have my registrar do it (MarkMonitor or similar -- that's why they're paid the big bucks).
Can I ask why you wouldn't pay a "random person" as you say - since this information is by definition public?
Can you tell me a bit about your experience using MarkMonitor to do this?
For my personal set of servers (some 25-30, with ~50 SSL certs), I have Nagios for monitoring them plus calendar alerts, SMS alerts and sane cycling (everything expires in the same month).
My employer is an intermediary CA, they can issue their own certs but I've worked with people who use Markmonitor. As part of buying your cert through them is they worry about making sure your domains stay protected. They'll call you, text you and even mail you reminders. And they have a proven track record dealing with companies that are collective worth trillions.
In an old job for a mid-level bank, we had many behind the scenes (never showed up as a green padlock in any browser) integrations that would quit working when certs expired, frequently ones that we didn't purchase or control.
At the time, it was definitely worth it to me to get some notice before that happened. And it can be easier to plonk down a credit card than work though internal processes to have nagios (or patrol express, <shudder>) do the monitoring. It's the same thing that makes pingdom valuable.
CAs won't alert you if someone breaks into your server and replaces your certificate. They won't alert if you if you accidentally push a config change and start serving the wrong certificate to customers... And they certainly will not alert you if you are using a revoked certificate in production.
I've bought multiple certificates from different reputable vendors - I only ever got one Heartbleed notice. (This pattern repeats itself)
Many shops don't have a dedicated admin / webmaster auditing their certificates and even those that do have had public issues (Akamai, Apple, GitHub, Stripe...etc)
The value in a service like Snitch is that we worry about your SSL certificates. Many people don't have the interest or time in rolling their home grown monitoring of this stuff...
You have valid points, my advice would be to make that part of the message as clear as possible. as a sys admin I could be a potential customer but then again, I already have to worry about certs I implement.
I'd love to chat more out-of-band - would you mind emailing me (this username at currylabs.com or gmail.com)
In any case, very nice execution on the front end. Good job.
We're constantly improving and adding extra checks.
Not a big fan of pricing plans that mix volume with features, always makes me feel I'm being screwed when I only need one or the other. (Even though I might be perfectly fine with paying the same amount if the pricing structure was different.)
Definitely something we'll consider. Email me if I can help out in any way! hn username at currylab.com / gmail.com
And only 25 for enterprise? Our midsize business is currently using 416 certs.
Unless those include SMIME certs, but still...
We do more than you can do by scripting OpenSSL. For example: as far as I know OpenSSL won't warn you if your certificate is signed using SHA1 - one of new several features we're about to push out.
More generally scripting OpenSSL requires knowledge, time and infrastructure many people aren't able or willing to invest (what is monitoring the monitor...)
Have >25 certs? Add this check to Nagios: http://exchange.nagios.org/directory/Plugins/Network-Protoco...
Saved you $200/month :)
http://voodooalerts.com/free
These are very different services.
Voodooalerts requires you to place JS on your page. Because of this I am sure they cannot run the full suite of audits that Snitch does.
The full paid version of Voodoo Alerts requires JS to be installed but that is for RUM alerting
Edit: you're right about it not doing everything that snitch.Io does, but saving $10 a month on simple alerting sounds good to me
I signed up for a free account on VA and put in a site with a revoked SSL certificate. It has not generated an alert. It has been over 12 hours. It is still prompting me to insert the JS on my site, by the way.
As to your second point. Snitch isn't simple alerting.
It runs a full range of tests on an SSL certificate: checking for expiration, checking for revocation, checking that all of the intermediate certificates have not been revoked, checking the certificate is valid for the domain (including SNI), checking that the certificate isn't signed with a weak algorithm such as SHA-1 that Chrome is about deprecate, checking that the certificate has not been changed (incorrect server config, malicious intent...)
Snitch is not targeted at people who just need to know if their site is up or down.
If you are are a business and users browsing to your site get a big red warning in their browser because your SSL certificate is expired/revoked/weak/misconfigured - that is a problem and you lose money. That is what Snitch is addressing.
In fact I'm probably breaking terms mentioning it...
I was wondering if you were also going to mention that you are VoodooAlerts' founder?
I, personally, think it is poor form to advertise features that don't exist while pretending to be a customer of VoodooAlerts.
I wish you the best of luck with VoodooAlerts!
https://twitter.com/Leesfer
Good luck in this field, it's competitive :)
Their monitoring includes SSL cert validity, among many other things.
That is definitely on the roadmap and will go out soon.
Does DigiCert provide any guarantees on how often they monitor your certificates? Do they offer any alert mechanisms other than email? Do they let you monitor certificates that are on your critical path but not necessarily ones you own (partners...etc)
You also mention cost..but since you are not paying them you are not their customer - you are their product.
Snitch is clearly aligned with customers since our goal is to help you succeed at securing your site. Our goal is to make it easy for you (site owner) to do the right thing and provide a good experience to your customers.