Google releases 'nogotofail' tool to sniff out known HTTPS flaws

New tool makes it easier to detect security weaknesses on communications running on any internet-connected device.
Written by Liam Tung, Contributing Writer

Google has released a security testing tool to help ensure HTTPS connections aren't undermined by common configuration mistakes or known bugs.

Called 'nogotofail' and apparently named in honour of the 'goto fail' bug that affected Mac and iOS systems earlier this year, the tool offers a way to confirm that internet-connected devices and applications aren't vulnerable to transport layer security (TLS) and secure sockets layer (SSL) encryption issues, such as known bugs or misconfigurations.

The release of nogotofail follows the recent discovery of several hair-raising flaws in TLS/SSL protocols, such as the recent POODLE bug in SSL v3 and the Heartbleed bug in OpenSSL — both which left hundreds of thousands of servers exposed to serious attacks and triggered huge industry-wide clean-up efforts.

Nogotofail tests for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, and cleartext issues. The tool can be deployed on a router, a Linux machine, or a VPN server and works for Android, Chrome OS, iOS, Linux, OS X, and Windows — basically any device used to connect to the internet.

The bigger goal behind nogotofail is to ensure HTTPS connections really are secure by tying up loose ends that may be introduced by developers or admins that have used TLS/SSL incorrectly.

"We've been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible," Chad Brubaker, Android security engineer, said in a blog post yesterday.

To encourage others to test their applications and contribute new features, the team has released nogotofail code on GitHub as an open source project.

The release of nogotofail follows Google's recent push for developers to make all communications SSL encrypted by default and not, for example, just online banking sessions.

"Google is committed to increasing the use of TLS/SSL in all applications and services. But 'HTTPS everywhere' is not enough; it also needs to be used correctly. Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we've seen platforms make mistakes as well. As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes," said Brubaker.

Read more on this story

Editorial standards