Google had announced that Chrome would begin distrusting certificates issued by Symantec Corporation’s PKI and the decision is followed by other major browsers.
These are the certificates by Thawte, VeriSign, Equifax, GeoTrust, and RapidSSL that are issued before 1st of December 2017.
And, as the distrust is in effect and visitors are displayed an error on these websites (like ERR_CERT_SYMANTEC_LEGACY), Uptime Robot’s SSL monitoring feature now also considers these errors as a reason for downtime.
Such downtimes are displayed as “Distrusted Certificate” in the dashboard and the feature is live in the Pro Plan.
HTTPs is becoming the “default” for any website whether it is a blog, portal, e-commerce or corporate one.
However, a website with an SSL certificate requires an extra layer of monitoring, “making sure the SSL works as expected”, as a certificate:
- can expire
- can produce errors (host mismatch, use insecure protocols like SSLv3..).
Introducing SSL monitoring
The Pro Plan now monitors such cases and lets you know:
- when the SSL certificate has errors including:
- host mis-match
- forcing insecure protocol (like SSLv2 or SSLv3)
- and when the SSL certificate is getting close to expiry date (when 30, 15, 7 and 1 day is left) so that you can renew it in advance.
Note: “mixed-content SSL warnings and revoked certificates” are currently not supported.
The feature is available by default for all HTTP and keyword monitors whose URLs start with “https”.
Customizing its usage
It is possible to:
- disable SSL monitoring and/or “ignore SSL errors” for selected monitors from the “Add/Edit Monitor dialogs”. This is handy if the website uses a self-signed certificate.
- choose which alert contacts will get “SSL expiry notifications” from the “My Settings>Alert Contacts>Add/Edit Alert Contact dialogs”.
- By default, all alert contact types except “SMS, mobile Push, Pushbullet, Boxcar and Pushover” are enabled considering they are non-intrusive.
Important info: The feature will become active by 20 September 2017 to make sure any customization can be performed in advance.
Excited to have this feature being available and hope that it helps for a better uptime :).
Update (24 Oct 2017)
Thanks to all the feedback received, we have applied a set of updates to make sure that this feature is easy-to-use and functional for everyone:
- a certificate being self-signed is no more a reason for it to be detected as “down”
- monitors with IP-based URLs (like https://18.104.22.168) are not checked for SSL errors
- expiration notifications for certificates by Let’s Encrypt and Cloudflare are only triggered if 3 days or less are left for expiry as these certificates are mostly auto-renewed close to the expiry date.
- ssl settings for all monitors can be changed in bulk using the bulk actions dialog (can be found just under the “Add Monitor button”).
You’ll remember that SSL 3.0 is no longer secure since October 2014 with the discovery of Poodle attack. And, it is also disabled by default on all popular browsers.
On the other hand, there are still a small number of websites that support SSL 3.0 (which must definitely be disabled).
Starting tomorrow (6 April 2016), we’ll also be dropping support on sending SSL 3.0 compatible requests which will make the monitoring “not function” for those websites (a website’s SSL 3.0 support can be checked from SSL Labs).
Once Uptime Robot detects that a website requires SSL 3.0 for HTTPs communication, it’ll not mark the monitor as down but pause it and notify the user via e-mail with the information for taking action.
P.S> Disable SSLv3 is a nice website that shares “web server specific information” regarding “how to disable SSL 3.0″