Today, Google has introduced a new tool for testing network traffic security called Nogotofail.
It has been released as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet.
The tool’s main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations (it includes testing for common SSL certificate verification issues, HTTPS and TLS/SSL library bugs, SSL and STARTTLS stripping issues, cleartext issues, and so on).
The move is a push to boost TLS/SSL usage by releasing the tool for public use.
Google says it has been using Nogotofail internally “for some time” and has worked with developers to improve the security of their apps.
Nogotofail was built by the Android Security Team. As a result, it features a client to configure the settings and get notifications on Android as well as Linux. The attack engine itself can be deployed as a router, VPN server, or proxy.
The tool requires Python 2.7 and pyOpenSSL>=0.13. It features an on-path network MiTM, designed to work on Linux machines, as well and optional clients for the devices being tested.