Skip to main content

HTTPS Enabled with Valid SSL Certificate

Issue No: 1

Category: HTTP Security Headers

Issue type: Issue

Priority: Critical

Description

Verifies if the target website forces secure connections over HTTPS and checks if the corresponding SSL/TLS certificate is present, valid, and trusted by major browsers.

How do we capture it

When the XeoPix Crawler initiates a connection to the seed URL:

  1. Initial Protocol Resolution: The crawler attempts to fetch the URL. If the user input is a bare domain (e.g., example.com), the crawler initiates a GET request to http://example.com first, then follows redirects (301 or 302) to see if it lands on https://example.com to check for canonical redirects.
  2. TLS Handshake Hook: During the HTTPS connection phase, XeoPix hooks into the network socket layer (using Node.js tls.connect or Python's ssl library) to intercept the server's certificate.
  3. Peer Certificate Extraction: The crawler calls socket.getpeercertificate(true) to extract the raw certificate properties, including the certificate chain.
  4. Validation Logic:
    • Checks if the connection succeeded without throwing certificate errors (e.g., DEPTH_ZERO_SELF_SIGNED_CERT, CERT_HAS_EXPIRED, ERR_TLS_CERT_ALTNAME_INVALID).
    • Reads structural metadata: Issuer, Subject Alternative Names (SAN), Validity Start Date, Validity End Date (Expiry), Signature Algorithm, and TLS Protocol Version used (e.g., TLS 1.2, TLS 1.3).

What to store

FieldComment
has_httpsBOOLEAN DEFAULT FALSE — Flag indicating if the site is reachable over HTTPS
ssl_cert_presentBOOLEAN DEFAULT FALSE — Flag indicating if any SSL certificates are found
is_valid_ssl_certBOOLEAN DEFAULT FALSE — Flag indicating if the SSL certificate is fully valid and trusted
ssl_error_codeVARCHAR(100) — Error code returned by the TLS handshake if validation fails
ssl_cert_issuer_common_nameVARCHAR(255) — The common name of the Certificate Authority that issued the certificate
ssl_cert_valid_fromTIMESTAMP WITH TIME ZONE — The starting date and time of the certificate's validity
ssl_certificate_expiryTIMESTAMP WITH TIME ZONE — The expiration date and time of the certificate
ssl_cert_days_to_expiryINT — Remaining days before the SSL certificate expires
ssl_cert_signature_algorithmVARCHAR(100) — Cryptographic algorithm used to sign the certificate
tls_version_negotiatedVARCHAR(20) — TLS protocol version negotiated during handshake
has_canonical_https_redirectBOOLEAN DEFAULT FALSE — Flag indicating if HTTP traffic canonicalizes to HTTPS

Condition for trigger

The XeoPix reporting engine processes the collected transport metadata against five key validation rules to flag security vulnerabilities and service-impacting configurations:

  • Trigger Rule 1: Secure Connection Unavailable (No HTTPS)

    • Target Field: has_https
    • Evaluation Logic: = FALSE
    • Severity: CRITICAL
    • Diagnostic Message: "The site is running on insecure HTTP. User data is exposed to MITM snooping."
  • Trigger Rule 2: Missing Certificate (No SSL Certificate)

    • Target Field: ssl_cert_present
    • Evaluation Logic: = FALSE
    • Severity: CRITICAL
    • Diagnostic Message: "No SSL certificate was detected. Secure connections cannot be established."
  • Trigger Rule 3: Invalid Host or Trust Chain (Invalid Certificate)

    • Target Field: is_valid_ssl_cert
    • Evaluation Logic: = FALSE AND has_https = TRUE
    • Severity: CRITICAL
    • Diagnostic Message: "SSL Certificate is invalid: [ssl_error_code]. Browsers will block access."
  • Trigger Rule 4: Imminent Certificate Expiry (Impending Expiry)

    • Target Field: ssl_cert_days_to_expiry
    • Evaluation Logic: <= 14 AND is_valid_ssl_cert = TRUE
    • Severity: WARNING
    • Diagnostic Message: "SSL certificate expires in [ssl_cert_days_to_expiry] days. Renew immediately."
  • Trigger Rule 5: Deprecated Protocol Negotiated (Weak TLS Protocol)

    • Target Field: tls_version_negotiated
    • Evaluation Logic: IN ('TLSv1.0', 'TLSv1.1', 'SSLv3')
    • Severity: WARNING
    • Diagnostic Message: "Server supports legacy TLS protocol. Deprecated by major web standards."

Sources

Long description

The Mechanics of SSL/TLS & HTTPS

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses Transport Layer Security (TLS) to encrypt all communications between a user's browser and the web host. This prevents attackers from eavesdropping on, intercepting, or altering the data package in transit—an attack vector known as a Man-In-The-Middle (MITM) exploit.

When a client attempts to connect to a website, the server presents a cryptographic certificate issued by a Certificate Authority (CA) (e.g., Let's Encrypt, DigiCert, Sectigo). The client verifies:

  1. Trust Chain: The certificate is signed by an intermediate CA which ultimately traces back to a trusted "Root Certificate" pre-installed in the client's OS or browser trust store.
  2. Hostname Matching: The domain name in the browser address bar matches a name stored in the certificate's Subject Alternative Names (SAN) list.
  3. Validity Window: The current system time falls between the certificate's Not Before and Not After timestamps.

What Happens When SSL/TLS Validation Fails?

If the HTTPS connection or the certificate validation fails, modern web browsers drop a hard, non-bypassable barrier blocking the user from proceeding:

+------------------------------------------------------------------------+
| [!] Your connection is not private |
| Attackers might be trying to steal your information... |
| |
| NET::ERR_CERT_COMMON_NAME_INVALID |
| |
| [ Advanced ] [ Back to safety ] |
+------------------------------------------------------------------------+

This leads to a near-total drop in organic search traffic and conversion rates. Additionally, search engines actively treat HTTPS as a core page-experience ranking factor. Unencrypted sites are flagged as "Not Secure" directly in the browser's URL address bar and suffer penalties in search engine results page (SERP) visibility.

Typical Failure Scenarios Checked by XeoPix

  • Self-Signed Certificate: Often found on staging environments; the host generated its own certificate, which lacks a trusted root authority.
  • Expired Certificate: The administrator missed configuring automated renewals (e.g., Certbot cron failure).
  • Hostname Mismatch: The certificate is valid for example.com but does not include www.example.com or other subdomains.

How to Fix

Obtain a Trusted Certificate for your Site

If you do not have a certificate, obtain one from a trusted Certificate Authority. You can easily get a free, fully automated certificate via Let's Encrypt.

Steps to Enable HTTPS

  1. Generate or acquire an SSL/TLS certificate from a trusted Certificate Authority (CA) such as Let's Encrypt, DigiCert, or Sectigo.
  2. Install the certificate on your web server and configure it to use HTTPS.
  3. Enable automatic renewal through your CA's automated tool (e.g., Certbot for Let's Encrypt) to prevent certificate expiry.
  4. Configure HTTP-to-HTTPS redirect to ensure all HTTP traffic canonicalizes to HTTPS (301 or 302 status code).
  5. Test your configuration using tools such as SSL Labs to verify the certificate is valid, trusted, and using a modern TLS version (TLS 1.2 or higher).
  6. Monitor certificate expiry by setting up alerts 30 days before expiration to ensure timely renewal.