gottreu/shaaaaaaaaaaaaa

SHAAAAAAAAAAAAA

This repository contains the code for shaaaaaaaaaaaaa.com, a tool to check whether your site's certificate is signed using SHA-1 (common, bad) or SHA-2 (rare, good).

Read more about why I built this tool and why replacing SHA-1 is important.

This tool does not validate certificates, or test anything besides SHA-1 vs SHA-2. For that, please visit the magnificent SSL Labs for a far more comprehensive review of your SSL configuration.

Depends on openssl to download certificates. See below for a command line version.

How do I update to SHA-2?

Read the instructions on shaaaaaaaaaaaaa.com for replacing your cert and any intermediates.

How can I help?

Check out the issue tracker. The biggest things are:

How about a bookmarklet, a Firefox extension, or a Chrome extension?
Some annoying domain errors on edge cases in Google's DNS.
Mapping out common certificate issuers so we can easily link people to replacements.
Hunting down more SHA-2 intermediate locations than we currently have on the site.
More unit tests, especially for intermediate certificates and chained root certificates.
Getting some Internet SHA-1 stats by running the command line tool over a list of top sites, like Alexa's [CSV download].

Really, just making the site better all around.

Running the website

This app requires Node. Then, install dependencies:

npm install

And run the app:

node app.js

For best results, make sure your system is using the latest version of openssl.

Command line version

To check a domain's certificate on the command line, use this repository's command line tool:

./bin/shaaaaaaaaaaaaa isitchristmas.com

This will exit with code 0, and output formatted JSON to STDOUT:

{
  "domain": "isitchristmas.com",
  "cert": {
    "algorithm": "sha1",
    "raw": "sha1WithRSAEncryption",
    "good": false,
    "expires": "2016-04-08T11:47:28.000Z",
    "name": "www.isitchristmas.com"
  },
  "intermediates": [
    {
      "algorithm": "sha256",
      "raw": "sha256WithRSAEncryption",
      "good": true,
      "expires": "2017-10-24T20:57:09.000Z",
      "name": "StartCom Class 2 Primary Intermediate Server CA"
    }
  ]
}

If there's an error, you'll get some JSON with an error flag of true, and the process will exit with code 1:

$ ./bin/shaaaaaaaaaaaaa bad-domain

{
  "error": true,
  "domain": "bad-domain",
  "message": "Couldn't lookup hostname."
}

Author

This is a tiny tool by Eric Mill. Released under an MIT License.

gottreu / shaaaaaaaaaaaaa