Because there's more to HTTPs than just monitoring
for certificate expiration dates.
All your content on an HTTPS page needs to be loaded from HTTPS domains. We scan your pages and detect resources that are loaded from insecure HTTP endpoints. Visitors of your site might otherwise see a warning or miss content being loaded.
We know, technically they're called X.509 Public Key Certificates, but the whole world calls them SSL certificates. We'll monitor your site's certificate expiration dates and send you a notification when they're about the expire.
But we don't just monitor your domain's certificate: we verify all your intermediate certificates, too. And if a certificate changes, you'll be presented with a clean before & after report, so you'll see if any of the covered domains have changed too.
Your connection is not private
Attackers might be trying to steal your information from yoursite.tld (for example, passwords, messages, or credit cards).
OCSP, CT, CRL, HPKP, ... do any of those ring a bell? If not, trust us to monitor it for you. We check all your certificates - including your intermediates - to see if they've been revoked, either through Certificate Revocation Lists (CRL) or the Online Certificate Status Protocol (OCSP).
If you're using any public key pinning mechanism like HPKP, we'll verify that your certificates still match and will report best practice improvements when we detect you've pinned a leaf key over an intermediate.
A chain is only as strong as its weakest link, SSL Certificates are the prime example. We don't just monitor your domain's certificate but will check every intermediate certificate too, up to the root certificate, to verify the chain of trust.
We look for SHA-1 certificates, revoked intermediates, distrusted root certificates, ... each of those problems can cause your site to be unavailable. And none of those changes are in your control, these decisions gets made by the Certificate Authorities (CAs) or the browsers themselves, via the CAB Forum.
If you've configured a CSP - Content Security Policy - we'll crawl your site to see if you have any pages that violate that security policy. Additionally, you can set a
report-uri that points to use to receive reports whenever the CSP is blocking elements on your page.
Who would you rather have inform you: your visitors or us?
In the near future, all certificates issued need to be published to known Certificate Logs. As a result, every certificate issued becomes public knowledge.
We monitor those Certificate Transparency Logs and will alert you whenever a new certificate is issued for one of your domains. You can decide if it was on purpose by you or from a malicious actor and act accordingly.
$ cat ohdearapp.conf /* Enable TLS */ ssl on; ssl_certificate ohdearapp.com/fullchain.pem; ssl_certificate_key ohdearapp.com/privkey.pem; ssl_session_timeout 3m; ssl_session_cache shared:SSL:30m; /* Configure TLS, prefer strong ciphers */ ssl_protocols TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:...:!DES:!RC4:!MD5:...; ssl_prefer_server_ciphers on; /* Use a 4096 bitkey length for Diffie Hellman, prevent Logjam attack */ ssl_dhparam /etc/ssl/certs/dhparam-4096bit.pem; /* OCSP (Online Certificate Status Protocol) server-side checks are enabled */ ssl_stapling on; ssl_stapling_verify on; resolver_timeout 60s; ssl_trusted_certificate ohdearapp.com/fullchain.pem;
Configuring HTTPS is great, but if you use weak encryption ciphers or don't support Perfect Forward Secrecy (PFS), your website is missing critical security features.
We will routinely scan your server(s) and report changes in TLS ciphers, alert when weak ciphers like RC4, MD5 or DES are used and if you're using insecure protocols like SSLv2 or SSLv3.
Additionally, we'll check your OCSP stapling and if your server sends a list of prefered ciphers, so downgrade attacks are prevented.
HTTPS isn't a very forgiving protocol: it takes a lot of configuration settings to get it right, but only a single mistake to knock your site offline. Let us monitor that for you.
We love automation just as much as you do.
There's an API you can use to automatically add domains to be monitored, trigger on-demand runs and retrieve the status for each of your monitored domains. Integrate it in your own monitoring as you see fit.
$ curl -H "Accept: application/json" \ -H "Authorization: QnV0IEkgdGhvdWdodCBteSBiYjb250ZW50IHdhcyBhIHNlY3JldCE=" \ -H "Secret-Header: OhDearSecrets" \ -H "Version: 1.0" \ https://ohdearapp.com/app/api/domains
A no-strings-attached, 1 month free trial for you to evaluate our service.
Cancel at any time.
Expiration dates, revocation lists, certificate changes, distrusted certificate authorities, ... you name it, we monitor it.
Don't let a mixed content issue ruin your day, we'll notify you whenever we find a page with mixed content. Do you use CSP? We'll alert violations, too.
Certificate changes are alert in minutes, not days. You want to be on top of your infrastructure? We've got you covered.
Each of the founders are experts in their domain, giving you their combined knowledge in one convenient service.
The web is moving to HTTPs. Don't let a misconfiguration ruin your site's reputation or availability, Oh Dear! can help you deploy SSL certificates with more confidence.