Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet.
The tool’s main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations (it includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and so on). Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and “in fact any device you use to connect to the Internet.”
“Google is committed to increasing the use of TLS/SSL in all applications and services. But ‘HTTPS everywhere’ is not enough; it also needs to be used correctly,” Brubaker wrote in a blog post.
“Most platforms and devices have secure defaults, but some applications and libraries override the defaults for the worse, and in some instances we’ve seen platforms make mistakes as well. As applications get more complex, connect to more services, and use more third party libraries, it becomes easier to introduce these types of mistakes.”
Google believes that, by making an open source solution, the community will be able to proactively protect against future vulnerabilities as they are uncovered, in part through the work of the Core Infrastructure Initiative, the Linux Foundation managed organisation set up in the wake of the Heartbleed bug to monitor and fix security protocols.