ShadowTrackr

Log in >
RSS feed

Certificate scan results update

03 June 2024
While the grades you see on ShadowTrackr are based on the SSL Labs scoring guide and should be the same, we have discovered a minor difference. When you have an incomplete chain of trust, SSL Labs will show it but still happily hand out an A or even A+. On ShadowTrackr you will receive a T, because and incomplete chain of trust is a Trust issue.

Out of the thousands of certificates we scan, we have only seen this difference on two certificates. On one of them, SSL Labs claimed only Java had an incomplete chain. Our scan showed that Java and Apple had an incomplete chain of trust. All tough the certificate was accepted by Safari on a Macbook, OpenSSL verification on the terminal on that same macbook did show a certificate problem.

If this happens to you, make sure you have the complete certificate bundle including the intermediate certificates installed on your server. The order of the certificates is important too. If this still fails to produce a complete chain of trust, get a certificate signed by a different root CA and try again.

The certificate scan script had been updated, and a bug in the detection of the certificate serial number has been fixed.

Outage early morning of 31 may

31 May 2024
This morning ShadowTrackr was unreachable from the internet. The outage lasted a bit more than 2 hours, and was caused by a failing automatic payment for the domain registration. The warning emails for this unfortunately went to the wrong email address.

All is back to normal, sincere apologies for the inconvenience.

CISA vulnerability reports added

27 May 2024
The US Cybersecurity and Infrastructure Security Agency (CISA) maintains a very useful list of actively abused vulnerabilities. That list is now available in ShadowTrackr internally as extra fields on the cves index. The specific fields are mentioned in the cves index documentation.

To save you some effort there are 3 new reports available in the report library that use this data:

CISA - Your vulnerable assets
A report with your assets that have CVEs mentioned by CISA. These are actively exploited, you want this list to be empty.

CISA - Most recent CVEs
A list of all vulnerabilities that CISA added to their list in the last month

CISA - Most exploited products
An overview of the products that where most often exploited in the last 3 months.
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy