HTTPS Enabled with Valid SSL Certificate
Issue No: 1
Category: HTTP Security Headers
Issue type: Issue
Priority: Critical
Description
Verifies if the target website forces secure connections over HTTPS and checks if the corresponding SSL/TLS certificate is present, valid, and trusted by major browsers.
How do we capture it
When the XeoPix Crawler initiates a connection to the seed URL:
- Initial Protocol Resolution: The crawler attempts to fetch the URL. If the user input is a bare domain (e.g., example.com), the crawler initiates a GET request to http://example.com first, then follows redirects (301 or 302) to see if it lands on https://example.com to check for canonical redirects.
- TLS Handshake Hook: During the HTTPS connection phase, XeoPix hooks into the network socket layer (using Node.js tls.connect or Python's ssl library) to intercept the server's certificate.
- Peer Certificate Extraction: The crawler calls socket.getpeercertificate(true) to extract the raw certificate properties, including the certificate chain.
- Validation Logic:
- Checks if the connection succeeded without throwing certificate errors (e.g., DEPTH_ZERO_SELF_SIGNED_CERT, CERT_HAS_EXPIRED, ERR_TLS_CERT_ALTNAME_INVALID).
- Reads structural metadata: Issuer, Subject Alternative Names (SAN), Validity Start Date, Validity End Date (Expiry), Signature Algorithm, and TLS Protocol Version used (e.g., TLS 1.2, TLS 1.3).
What to store
| Field | Comment |
|---|---|
| has_https | BOOLEAN DEFAULT FALSE — Flag indicating if the site is reachable over HTTPS |
| ssl_cert_present | BOOLEAN DEFAULT FALSE — Flag indicating if any SSL certificates are found |
| is_valid_ssl_cert | BOOLEAN DEFAULT FALSE — Flag indicating if the SSL certificate is fully valid and trusted |
| ssl_error_code | VARCHAR(100) — Error code returned by the TLS handshake if validation fails |
| ssl_cert_issuer_common_name | VARCHAR(255) — The common name of the Certificate Authority that issued the certificate |
| ssl_cert_valid_from | TIMESTAMP WITH TIME ZONE — The starting date and time of the certificate's validity |
| ssl_certificate_expiry | TIMESTAMP WITH TIME ZONE — The expiration date and time of the certificate |
| ssl_cert_days_to_expiry | INT — Remaining days before the SSL certificate expires |
| ssl_cert_signature_algorithm | VARCHAR(100) — Cryptographic algorithm used to sign the certificate |
| tls_version_negotiated | VARCHAR(20) — TLS protocol version negotiated during handshake |
| has_canonical_https_redirect | BOOLEAN DEFAULT FALSE — Flag indicating if HTTP traffic canonicalizes to HTTPS |
Condition for trigger
The XeoPix reporting engine processes the collected transport metadata against five key validation rules to flag security vulnerabilities and service-impacting configurations:
-
Trigger Rule 1: Secure Connection Unavailable (No HTTPS)
- Target Field:
has_https - Evaluation Logic:
= FALSE - Severity: CRITICAL
- Diagnostic Message: "The site is running on insecure HTTP. User data is exposed to MITM snooping."
- Target Field:
-
Trigger Rule 2: Missing Certificate (No SSL Certificate)
- Target Field:
ssl_cert_present - Evaluation Logic:
= FALSE - Severity: CRITICAL
- Diagnostic Message: "No SSL certificate was detected. Secure connections cannot be established."
- Target Field:
-
Trigger Rule 3: Invalid Host or Trust Chain (Invalid Certificate)
- Target Field:
is_valid_ssl_cert - Evaluation Logic:
= FALSE AND has_https = TRUE - Severity: CRITICAL
- Diagnostic Message: "SSL Certificate is invalid: [ssl_error_code]. Browsers will block access."
- Target Field:
-
Trigger Rule 4: Imminent Certificate Expiry (Impending Expiry)
- Target Field:
ssl_cert_days_to_expiry - Evaluation Logic:
<= 14 AND is_valid_ssl_cert = TRUE - Severity: WARNING
- Diagnostic Message: "SSL certificate expires in [ssl_cert_days_to_expiry] days. Renew immediately."
- Target Field:
-
Trigger Rule 5: Deprecated Protocol Negotiated (Weak TLS Protocol)
- Target Field:
tls_version_negotiated - Evaluation Logic:
IN ('TLSv1.0', 'TLSv1.1', 'SSLv3') - Severity: WARNING
- Diagnostic Message: "Server supports legacy TLS protocol. Deprecated by major web standards."
- Target Field:
Sources
- W3C Secure Contexts
- Google Search Central: HTTPS as a ranking signal
- Let's Encrypt: About Certificates
- Qualys SSL Labs: SSL/TLS Best Practices
Long description
The Mechanics of SSL/TLS & HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses Transport Layer Security (TLS) to encrypt all communications between a user's browser and the web host. This prevents attackers from eavesdropping on, intercepting, or altering the data package in transit—an attack vector known as a Man-In-The-Middle (MITM) exploit.
When a client attempts to connect to a website, the server presents a cryptographic certificate issued by a Certificate Authority (CA) (e.g., Let's Encrypt, DigiCert, Sectigo). The client verifies:
- Trust Chain: The certificate is signed by an intermediate CA which ultimately traces back to a trusted "Root Certificate" pre-installed in the client's OS or browser trust store.
- Hostname Matching: The domain name in the browser address bar matches a name stored in the certificate's Subject Alternative Names (SAN) list.
- Validity Window: The current system time falls between the certificate's Not Before and Not After timestamps.
What Happens When SSL/TLS Validation Fails?
If the HTTPS connection or the certificate validation fails, modern web browsers drop a hard, non-bypassable barrier blocking the user from proceeding:
+------------------------------------------------------------------------+
| [!] Your connection is not private |
| Attackers might be trying to steal your information... |
| |
| NET::ERR_CERT_COMMON_NAME_INVALID |
| |
| [ Advanced ] [ Back to safety ] |
+------------------------------------------------------------------------+
This leads to a near-total drop in organic search traffic and conversion rates. Additionally, search engines actively treat HTTPS as a core page-experience ranking factor. Unencrypted sites are flagged as "Not Secure" directly in the browser's URL address bar and suffer penalties in search engine results page (SERP) visibility.
Typical Failure Scenarios Checked by XeoPix
- Self-Signed Certificate: Often found on staging environments; the host generated its own certificate, which lacks a trusted root authority.
- Expired Certificate: The administrator missed configuring automated renewals (e.g., Certbot cron failure).
- Hostname Mismatch: The certificate is valid for example.com but does not include www.example.com or other subdomains.
How to Fix
Obtain a Trusted Certificate for your Site
If you do not have a certificate, obtain one from a trusted Certificate Authority. You can easily get a free, fully automated certificate via Let's Encrypt.
Steps to Enable HTTPS
- Generate or acquire an SSL/TLS certificate from a trusted Certificate Authority (CA) such as Let's Encrypt, DigiCert, or Sectigo.
- Install the certificate on your web server and configure it to use HTTPS.
- Enable automatic renewal through your CA's automated tool (e.g., Certbot for Let's Encrypt) to prevent certificate expiry.
- Configure HTTP-to-HTTPS redirect to ensure all HTTP traffic canonicalizes to HTTPS (301 or 302 status code).
- Test your configuration using tools such as SSL Labs to verify the certificate is valid, trusted, and using a modern TLS version (TLS 1.2 or higher).
- Monitor certificate expiry by setting up alerts 30 days before expiration to ensure timely renewal.