UX and GUI improvements

The last two weeks were mostly spent on improving the graphical user interface (GUI) and user experience (UX).

ShadowTrackr is continuously growing. Sometimes functionality is improved, sometimes features are added, and things get "bolted on". Over time, clear and readable webpages will devolve into Frankenpages.

Two weeks of tender love and care should have fixed that now. I’m happy with the new layout. Warnings and errors are more consistent, and many asset properties are now clickable links. These links will generate a search query and show you all other assets with the same properties.

Finally, the exports have improved too, try mailing yourself a certificate, website, host or domain page. Just click "mail report" in the context menu (three dots, right upper corner). These reports are intended to mail to the IT staff that has to fix things. You can directly mail them from your account, without having to go trough copy-paste hell. Hopefully this lower the bar and encourages you to improve your security posture even more.

I hope you like the update as much as I do. If you have any suggestions or special requests, please let me know!

CVE checks on detected software

Some of you might have seen the CVE mentions on the software reports page. They have silently been in beta for a while, and now it’s time to step up.

ShadowTrackr runs automatic checks to detect software running on your websites and servers, and it always suprised me how often it’s possible to determine the exact version number too. Since we have this information anyway, we should do something useful with it, and that’s were the CVE checks come in.

As of today we maintain a current database of all released CVEs. Everytime we find software and version information on one of your assets, we’ll check it against the known vulnerabilities in the CVE database. If we find a vulnerability, you’ll get a warning. And if it’s a critical vulnerability (meaning a CVSS score above 9), we’ll list it as a problem and urge you to fix it immediately.

Any evil hacker who wants to have a go at you will go through the same process of finding out what software you run and checking if there are any known vulnerabilities. So, this should be a major step in reducing your attack surface. Check out the results on the software report page and get started!

Find all current certificates that still use TLS 1.0 and TLS 1.1

All major browsers are ending support for TLS 1.0 and 1.1 in 2020. Any websites still supporting these protocols will have their grades capped to an ugly B.

A client chasing certificates noticed that ShadowTrackr did not have the option to show or export current certificates that still use TLS 1.0 and TLS 1.1. There’s an option to list all certificates under reports, and there’s an option to list all certificates using TLS 1.0 and TLS 1.1. However you couldn’t combine both and that sucks.

So, this weeks update added more options to search. I added the last_seen field to certificates, websites, hosts, whois and dns records. You can use it to find your current certificates that still use TLS 1.0 and TLS 1.1. It works like this (type in search bar):

    (certificate.protocols: "TLS 1.0" 
     OR certificate.protocols: "TLS 1.1") 
    AND certificate.last_seen>2020-03-01

Handy right? As with any search, an export button will appear on the top right of the page allowing you to easily download or email the search results.

Please keep sending your comments, suggestions and frustrations. It really helps to focus development effort on the things that are most useful.