DeepViolet Beta 6 Features
Opened this issue · 1 comments
Improvement 1(COMPLETE), It would be awesome if session properties were set based on constants or enums for the keys, eg:
So that when users want to do something like,String[] hshake_list = session.getPropertyValue("ENABLED_PROTOCOLS").split(",");they're not bound to a string for the key name which could change and break things in the future. (via kingthorin+owaspzap)
Improvement 2(COMPLETE), Vulnerability Analysis
Perform analysis for various attacks against TLS. This has been requested by a several people as being a valuable feature for them. Originally, SSLServer included support for BEAST, CRIME, and FREAK. Along with these I will add support for ROBOT.
Improvement 3(COMPLETE), Ciphersuite Name Convention May be Specified
Support popular ciphersuite name conventions: GnuTLS, NSS, IANA, OpenSSL. Convention may be specified when calling, IDVEng.getCipherSuites(CIPHER_NAME_CONVENTION CIPHER_NAME_CONVENTION) if no naming convention is specified then CIPHER_NAME_CONVENTION.IANA is the default.
Improvement 4(COMPLETE), Update Mozzila JSON Documents
DV ships with two files, 1) ciphermap.json. This file provides a mapping to desired ciphersuite naming convention described in Improvement 5. 2) server-side-tls-conf-4.0.json. This file provides the mapping to ciphersuite strength evaluations. The json information is gathered online and placed into static files that ship with DV so that DV does not open connections to Mozilla at runtime. In any case, this information has been refreshed with the latest from Mozilla.
Bug/Fix It Items
- Errors in ciphersuite selection during the TLS handshake should be communicated differently. Following is a sample error message, "Error: server wants to use cipher suite 35 which client did not announce".
**Parking Lot:, feature for callers to implement a progressbar. **
Test progress and early abort if taking too long. Refer to comments in, zaproxy/zaproxy#2532 (via thc202_owaspzap)
Note(3/7/2018 Milton): I have code like sort of like this for the DeepVioletTools UI so that scanning occurs outside the callers thread. This helps keep the UI status fresh while the user is waiting. To make this work I would instead need to push the functionality down into the API. The feature definitely makes sense for callers like ZAP. I just need to find some time to get it done. ;o).
Parking Lot: Scoring System
Consider moving to a scoring system similar to Qualys SSL Labs scoring and TLS Observatory. Today there is no analysis, with the exception of a strong, medium, and weak evaluation of cipher suites.
Note(1/18/2018 Milton): I like the idea but I'm concerned about implementing it since it seems a bit misleading since DV is not comprehensive. My concern may be roughly summarized in the following, if I don't find any problems and I provide a grade of "A" or similar status it may be misleading since there could still be a problem in other types of attacks or areas I don't check. Outside of a useful rubrik to communicate results to users, I would like to postpone this for now.
Parking Lot: JSON Report
Several attendees at Black Hat EU 2016 mentioned exporting reports in JSON would be a big compatibility benefit. Easy integration with Splunk was one example. Considering how best to implement.
Thanks!