Google Releases Open Source Nogotofail Network Traffic Security Testing Tool

An anonymous reader writes: Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet. The tool's main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."

Nice name

[StayFrosty]

I can't think of a name that would poke any harder at Apple.

Re:Nice name

[93+Escort+Wagon]

I can't think of a name that would poke any harder at Apple.

They were afraid that "isopensslbrokenthisweek.org" would be too hard to type.

Re:Nice name

[XanC]

I thought it was hilarious how they managed to work Oracle's name into that "POODLE" flaw they found.

Any device?

[ArcadeMan]

Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."

There's nothing for the e-ink Kindle nor the Nintendo DSi, you insensitive clod!

Re:Any device?

[Narcocide]

Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II god damnit?

Re:Any device?

[swillden]

Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II god damnit?

If you can get your network-enabled device to talk through a router, nogotofail can test it. Which means your dumbphone is probably out, since it doesn't support Wifi and you probably don't have access to the routers in the cell towers, but the Nintendo and Dreamcast devices can be tested.

Re:Any device?

[fuzzyfuzzyfungus]

They are built to be about as user-hostile as anything without the budget for really classy anti-tamper mechanisms can be; but it would be really handy if some of the little 'femtocell' devices were usable with OpenWRT-style firmware. It's hardly impossible for someone other than the telco to have a chat with your cellular modem; but the barriers to entry are very, very, steep compared to wifi, bluetooth, or ethernet links.

Re:Any device?

[ray-auch]

Nor OpenBSD - maybe Theo told them nicely that they didn't need it :-)

Github

[NotInHere]

Its interesting that companies that have competing products to github (codeplex, google code) release stuff on github.

Re:Github

[Opportunist]

My guess is that it's because it's a security auditing tool. Looking around Google Code, you'll notice that a lot of auditing tools that used the platform before have moved to github.

You may speculate over the reason.

Re:Github

[sexconker]

It's probably because people actually use GitHub.
Does Google+ have a Facebook page?

Re:Github

[martiniturbide]

That is the cool thing about Google.. they are not forced to eat their own dog food ...(with the exception of Vic Gundotra that dropped Twitter once he became Google+ leader....I wonder where is he now?)

Re:Github

[EETech1]

I wonder why Google did not put it in the Play Store?

Now I need to sideload apps to be secure?

Re:Github

[NotInHere]

Its a python tool which you run outside your android. If you ran it on your android, you needed superuser, and google wouldn't endorse that, would they?

Re:Github

[EETech1]

Perhaps on a Nexus device?

I'm not sure, I've never had one (and always have root)

I downloaded the package, and Python on my Android, but fell asleep in the docs last night.

It would be rather interesting to do those types of tests on the wireless operators, and the various Androids in my junk drawer.

Would running them from a tethered laptop give different results?

Fun times ahead.

Cheers

Re:Words for the sake of words?

[K.+S.+Kyosuke]

That's not strictly equivalent; just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions.

Re:Words for the sake of words?

[xxxJonBoyxxx]

>> just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions ...except for the fact that anyone could fork it as "neinjumpobama" or whatever and contribute to their fork any way they see fit.

While I see your point about explaining the original developers intentions toward outside contributions, the way the poster explained things makes it sound like anyone can contribute features to ANYTHING on GitHub (when in fact many contributions are slapped down because the original developers aren't really open to such things).

Does it check for MITM?

[Animats]

Does it have a man-in-the-middle detector? Those are rare, but useful.

Re:Does it check for MITM?

[hlee]

Yes, according to https://github.com/google/nogo...

Re:Does it check for MITM?

[Animats]

No, that's not a man-in-the-middle detector. It's a MITM attacker for test purposes.

Re:Does it check for MITM?

[hlee]

It is a MITM vulnerability detector for TLS/SSL among other things, if I understand the intention of the tool correctly. If so, that's fantastic. For example, most TLS/SSL environments are susceptible to a large class of MITM attacks simply because their website exposes both HTTP and HTTPS so then you decide to enable SSL only (perhaps with HSTS) - but did you do it right? Perhaps this tool can tell you. How about testing out a new Certificate Pinning implementation that your lead developer claims will prevent 99% of MITM attacks? Most IT admins or enterprise developers do not have the mindset or sufficient know how to setup an environment or build a system that would slow down a determined hacker much at all.

In so far as detecting MITM attacks... I think we'll get that for free when quantum crypto arrives. But I haven't read much literature about what you're going to do about if you do detect a MITM attack on your data - if you simply stop using that channel or any other vulnerable channel then it seems you're now a victim of a DoS attack. Not saying detection like this isn't useful - on the contrary I think it opens up a whole new field of countering such threats, but right now it is much more useful to so many of us to have a good tool that can tell us whether we're indeed vulnerable to MITM attacks and ensure we setup our TLS/SSL environment properly.

Re:Does it check for MITM?

[complete+loony]

Which should highlight if the application you're using can detect the attack or not. If the software you are testing can't detect the MITM, then it's broken. If google could write a better MITM detector, then it should be implemented in the libraries used by every application. Not in a separate tool.

That is cold...

[fuzzyfuzzyfungus]

It must sting a bit for the guys who work on Google Code when Google releases a project on Github...

Using a spy agency's tool on my networks?

[AnonymousCoward1998]

No thanks...I'll pass.

that's gotta hurt

[slashdice]

"open source project available on GitHub"

All you need to know about google code and sourceforge. Stick a fork in it guys (no pun intended!), you're dead.