Monitoring for the encrypted web

Because there's more to HTTPs than just monitoring
for certificate expiration dates.

Elements Console Sources
Mixed Content: The page at 'https://yoursite.tld/' was loaded over HTTPS, but requested an insecure image 'http://yoursite.tld/image.jpg'. This content should also be served over HTTPS.
Mixed Content: The page at 'https://yoursite.tld/' was loaded over HTTPS, but requested an insecure script 'http://yoursite.tld/script.js'. This request has been blocked; the content must be served over HTTPS.

Mixed Content detection

All your content on an HTTPS page needs to be loaded from HTTPS domains. We scan your pages and detect resources that are loaded from insecure HTTP endpoints. Visitors of your site might otherwise see a warning or miss content being loaded.

Sign up for the beta

SSL Certificate Expirations

We know, technically they're called X.509 Public Key Certificates, but the whole world calls them SSL certificates. We'll monitor your site's certificate expiration dates and send you a notification when they're about the expire.

But we don't just monitor your domain's certificate: we verify all your intermediate certificates, too. And if a certificate changes, you'll be presented with a clean before & after report, so you'll see if any of the covered domains have changed too.

Sign up for the beta

Your connection is not private

Attackers might be trying to steal your information from yoursite.tld (for example, passwords, messages, or credit cards).

NET::ERR_CERT_REVOKED
NET::ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN
NET::ERR_CERT_AUTHORITY_INVALID

Acronym Bingo!

OCSP, CT, CRL, HPKP, ... do any of those ring a bell? If not, trust us to monitor it for you. We check all your certificates - including your intermediates - to see if they've been revoked, either through Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP).

If you're using any public key pinning mechanism like HPKP, we'll verify that your certificates still match and will report best practice improvements when we detect you've pinned a leaf key over an intermediate.

Sign up for the beta

Certificate Chain validation

A chain is only as strong as its weakest link, SSL Certificates are the prime example. We don't just monitor your domain's certificate but will check every intermediate certificate too, up to the root certificate, to verify the chain of trust.

We look for SHA-1 certificates, revoked intermediates, distrusted root certificates, ... each of those problems can cause your site to be unavailable. And none of those changes are in your control, these decisions gets made by the Certificate Authorities (CAs) or the browsers themselves, via the CAB Forum.

Sign up for the beta

DST Root CA X3
Valid until: Friday, 21 August 2022 at 06:00:00 Central
Let's Encrypt Authority X3
Valid until: Saturday, 2 January 2020 at 12:00:00 Central
ohdearapp.com
Valid until: Tuesday, 21 November 2017 at 12:54:00 Central
Elements Console Sources
Refused to load the script 'http://yourcdn.tld/jquery.min.js' because it violates the following Content Security Policy directive: "script-src 'self'".
Refused to load stylesheet 'http://yourcdn.tld/style.css' because it violates the following Content Security Policy directive: ...

Content Security Policy monitoring

If you've configured a CSP - Content Security Policy - we'll crawl your site to see if you have any pages that violate that security policy. Additionally, you can set a report-uri that points to use to receive reports whenever the CSP is blocking elements on your page.

Who would you rather have inform you: your visitors or us?

Sign up for the beta

Certificate Transparency Monitoring

In the near future, all certificates issued need to be published to known Certificate Logs. As a result, every certificate issued becomes public knowledge.

We monitor those Certificate Transparency Logs and will alert you whenever a new certificate is issued for one of your domains. You can decide if it was on purpose by you or from a malicious actor and act accordingly.

Sign up for the beta

$ cat ohdearapp.conf
/* Enable TLS */
ssl                         on;
ssl_certificate             ohdearapp.com/fullchain.pem;
ssl_certificate_key         ohdearapp.com/privkey.pem;

ssl_session_timeout         3m;
ssl_session_cache           shared:SSL:30m;

/* Configure TLS, prefer strong ciphers */
ssl_protocols               TLSv1.2;
ssl_ciphers                 ECDHE-RSA-AES128-GCM-SHA256:...:!DES:!RC4:!MD5:...;
ssl_prefer_server_ciphers   on;

/* Use a 4096 bitkey length for Diffie Hellman, prevent Logjam attack */
ssl_dhparam                 /etc/ssl/certs/dhparam-4096bit.pem;

/* OCSP (Online Certificate Status Protocol) server-side checks are enabled */
ssl_stapling            on;
ssl_stapling_verify     on;
resolver_timeout        60s;
ssl_trusted_certificate ohdearapp.com/fullchain.pem;
          

TLS cipher monitoring

Configuring HTTPS is great, but if you use weak encryption ciphers or don't support Perfect Forward Secrecy (PFS), your website is missing critical security features.

We will routinely scan your server(s) and report changes in TLS ciphers, alert when weak ciphers like RC4, MD5 or DES are used and if you're using insecure protocols like SSLv2 or SSLv3.

Additionally, we'll check your OCSP stapling and if your server sends a list of prefered ciphers, so downgrade attacks are prevented.

HTTPS isn't a very forgiving protocol: it takes a lot of configuration settings to get it right, but only a single mistake to knock your site offline. Let us monitor that for you.

Sign up for the beta

There's an API for that

We love automation just as much as you do.

There's an API you can use to automatically add domains to be monitored, trigger on-demand runs and retrieve the status for each of your monitored domains. Integrate it in your own monitoring as you see fit.

Sign up for the beta

$ curl -H "Accept: application/json" \
  -H "Authorization: QnV0IEkgdGhvdWdodCBteSBiYjb250ZW50IHdhcyBhIHNlY3JldCE=" \
  -H "Secret-Header: OhDearSecrets" \
  -H "Version: 1.0" \
  https://ohdearapp.com/app/api/domains 

Meet the team

Dries Vints

Dries Vints

laravel.io maintainer, meetup organiser, Laravel contributor & webdeveloper.

Freek Murze

Freek Van der Herten

Laravel packager, blogger, all-round webdeveloper & web crawling expert.

Mattias Geniar

Mattias Geniar

Sysadmin, developer, blogger, open source evangelist & security specialist.

Oh Dear! features

Free trial

A no-strings-attached, 1 month free trial for you to evaluate our service.

Cancel at any time.

Certificate Monitoring

Expiration dates, revocation lists, certificate changes, distrusted certificate authorities, ... you name it, we monitor it.

Content validation

Don't let a mixed content issue ruin your day, we'll notify you whenever we find a page with mixed content. Do you use CSP? We'll alert violations, too.

We're fast

Certificate changes are alert in minutes, not days. You want to be on top of your infrastructure? We've got you covered.

Made by experts

Each of the founders are experts in their domain, giving you their combined knowledge in one convenient service.

Protect yourself

The web is moving to HTTPs. Don't let a misconfiguration ruin your site's reputation or availability, Oh Dear! can help you deploy SSL certificates with more confidence.

Sign up for our closed beta

We respect your privacy and you won't get spam. Ever.
Just a heads-up once you're eligible for our beta. Oh, and when we launch.