A new tool for security network testing called Nogotofail, was released by Google yesterday. It is open-sourced and intended for users who wish to contribute to the Internet security improvement. It is designed to strengthen weak TLS connections and check problems of the notorious SSL 3.0 certificate.
Nogotofail has been created by the Android security team, and it will be working with every device able to connect to the Internet. It will be compatible with all operation systems (Linux, Windows, iOS, Android, etc.), and its main purpose is to prevent man-in-the-middle attacks due to weak or unsecure TLS or SSL 3.0 certificates.
Offered on the web-based hosting service GitHub, the tool is aiming to test more complicated applications and override them in the network configuration if necessary. The tool developers have included tests for commonly spread SSL 3.0 certificate validations, HTTP and TLS / SSL library bugs, clear text issues and SSL & STARTTLS stripping problems. Performing such test users often need several libraries; all along with changing the applications’ initial set up may lead to increasing the security problems for the average user.
The users have the possibility to decide which devices or applications are exposed to vulnerability; they can also request additional information to determine that and this may actually lead them just doing more and more tests at the end.
‘There’s an easy-to-use client to configure the settings and get notifications on Android and Linux, as well as the attack engine itself which can be deployed as a router, VPN server, or proxy.’, Chad Brubaker, Android Security Engineer says in a blog regarding the new tool though.
The Nogotofail attack engine can work as a proxy, VPN or router, aiming to help the developers to create test closest to real attacks. It should also be able to perform tests on protocols relying on STARTTLS to determine whether there is a weakness in the TLS/SSL 3.0 certificates.
→’We’ve been using this tool ourselves for some time and have worked with many developers to improve the security of their apps. But we want the use of TLS/SSL to advance as quickly as possible.’, Brubaker message concludes. ‘Today, we’re releasing it as an open-source project, so anyone can test their applications, contribute new features, provide support for more platforms, and help improve the security of the Internet.’