Google Releases Open Source Nogotofail Network Traffic Security Testing Tool

An anonymous reader writes: Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet. The tool's main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."

Words for the sake of words?

[damn_registrars]

Really, are there people reading slashdot who don't know what open source means? The summary could have been trimmed down a fair bit by excluding that segment.

Re:Words for the sake of words?

It's just a slight rephrase of Google's blog post. I wonder who the anonymous reader was.

Re:Words for the sake of words?

But it's from Google man! It's the cat's meow man! Open source is in man! Be there or be square man!

Re:Words for the sake of words?

[K.+S.+Kyosuke]

That's not strictly equivalent; just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions.

Re:Words for the sake of words?

[xxxJonBoyxxx]

>> just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions ...except for the fact that anyone could fork it as "neinjumpobama" or whatever and contribute to their fork any way they see fit.

While I see your point about explaining the original developers intentions toward outside contributions, the way the poster explained things makes it sound like anyone can contribute features to ANYTHING on GitHub (when in fact many contributions are slapped down because the original developers aren't really open to such things).

Re:Words for the sake of words?

Look at NetHack. The code's been under a free license since forever, but that damn cathedral hasn't blessed a release in years.

Nice name

[StayFrosty]

I can't think of a name that would poke any harder at Apple.

Re:Nice name

[93+Escort+Wagon]

I can't think of a name that would poke any harder at Apple.

They were afraid that "isopensslbrokenthisweek.org" would be too hard to type.

Re:Nice name

Both have failed horribly at "privacy" of its users, and security/protecting peoples privacy. They track and data mine everything they can about you, then claim their not to blame for it. My opinion we are (really, we've always been in the US) F**k when it comes to media/press/industry/corporations/government feeding you nothing but bulls*it all the time.

It makes me laugh anymore how the media/press try to peddle these jack-off corporations as "they have your best interests in mind", and leave out doing any REAL investigative even-keel articles over what these corporations are really up too, they also failed to do it a any government level.

Re:Nice name

[XanC]

I thought it was hilarious how they managed to work Oracle's name into that "POODLE" flaw they found.

Re:Nice name

Howcanthatbetoohardtotype?Ithoughtwewereencouragingtheuseofpassphrases!

Any device?

[ArcadeMan]

Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."

There's nothing for the e-ink Kindle nor the Nintendo DSi, you insensitive clod!

Re:Any device?

[Narcocide]

Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II god damnit?

Re:Any device?

[swillden]

Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II god damnit?

If you can get your network-enabled device to talk through a router, nogotofail can test it. Which means your dumbphone is probably out, since it doesn't support Wifi and you probably don't have access to the routers in the cell towers, but the Nintendo and Dreamcast devices can be tested.

Re:Any device?

[fuzzyfuzzyfungus]

They are built to be about as user-hostile as anything without the budget for really classy anti-tamper mechanisms can be; but it would be really handy if some of the little 'femtocell' devices were usable with OpenWRT-style firmware. It's hardly impossible for someone other than the telco to have a chat with your cellular modem; but the barriers to entry are very, very, steep compared to wifi, bluetooth, or ethernet links.

Re:Any device?

[ray-auch]

Nor OpenBSD - maybe Theo told them nicely that they didn't need it :-)

Github

[NotInHere]

Its interesting that companies that have competing products to github (codeplex, google code) release stuff on github.

Re:Github

[Opportunist]

My guess is that it's because it's a security auditing tool. Looking around Google Code, you'll notice that a lot of auditing tools that used the platform before have moved to github.

You may speculate over the reason.

Re:Github

[sexconker]

It's probably because people actually use GitHub.
Does Google+ have a Facebook page?

Re:Github

yes they do - https://www.facebook.com/gogleplus

Re:Github

[martiniturbide]

That is the cool thing about Google.. they are not forced to eat their own dog food ...(with the exception of Vic Gundotra that dropped Twitter once he became Google+ leader....I wonder where is he now?)

Re:Github

[EETech1]

I wonder why Google did not put it in the Play Store?

Now I need to sideload apps to be secure?

Re:Github

[NotInHere]

Its a python tool which you run outside your android. If you ran it on your android, you needed superuser, and google wouldn't endorse that, would they?

Re:Github

[EETech1]

Perhaps on a Nexus device?

I'm not sure, I've never had one (and always have root)

I downloaded the package, and Python on my Android, but fell asleep in the docs last night.

It would be rather interesting to do those types of tests on the wireless operators, and the various Androids in my junk drawer.

Would running them from a tethered laptop give different results?

Fun times ahead.

Cheers

security of network traffic and googlers

Those fricking weirdos are walking around outside as I type. I better check the door locks.

Open Source trol is best troll

quitcher whinin', roll up your sleeves and get to work.
Lazy taker.

Does it check for MITM?

[Animats]

Does it have a man-in-the-middle detector? Those are rare, but useful.

Re:Does it check for MITM?

[hlee]

Yes, according to https://github.com/google/nogo...

Re:Does it check for MITM?

[Animats]

No, that's not a man-in-the-middle detector. It's a MITM attacker for test purposes.

Re:Does it check for MITM?

[hlee]

It is a MITM vulnerability detector for TLS/SSL among other things, if I understand the intention of the tool correctly. If so, that's fantastic. For example, most TLS/SSL environments are susceptible to a large class of MITM attacks simply because their website exposes both HTTP and HTTPS so then you decide to enable SSL only (perhaps with HSTS) - but did you do it right? Perhaps this tool can tell you. How about testing out a new Certificate Pinning implementation that your lead developer claims will prevent 99% of MITM attacks? Most IT admins or enterprise developers do not have the mindset or sufficient know how to setup an environment or build a system that would slow down a determined hacker much at all.

In so far as detecting MITM attacks... I think we'll get that for free when quantum crypto arrives. But I haven't read much literature about what you're going to do about if you do detect a MITM attack on your data - if you simply stop using that channel or any other vulnerable channel then it seems you're now a victim of a DoS attack. Not saying detection like this isn't useful - on the contrary I think it opens up a whole new field of countering such threats, but right now it is much more useful to so many of us to have a good tool that can tell us whether we're indeed vulnerable to MITM attacks and ensure we setup our TLS/SSL environment properly.

Re:Does it check for MITM?

[complete+loony]

Which should highlight if the application you're using can detect the attack or not. If the software you are testing can't detect the MITM, then it's broken. If google could write a better MITM detector, then it should be implemented in the libraries used by every application. Not in a separate tool.

Csit

Just like all Google "Open Source" projects this will cease to be open once Google figures out how to monetize it , or like android will require a bunch of proprietry stuff to be useable.

That is cold...

[fuzzyfuzzyfungus]

It must sting a bit for the guys who work on Google Code when Google releases a project on Github...

Using a spy agency's tool on my networks?

[AnonymousCoward1998]

No thanks...I'll pass.

that's gotta hurt

[slashdice]

"open source project available on GitHub"

All you need to know about google code and sourceforge. Stick a fork in it guys (no pun intended!), you're dead.

Another tool for the script kiddies?

Oh for fucks sake, don't tell me another tool that the script kiddies can use against the entire internet?