Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Google Networking Open Source Software

Google Releases Open Source Nogotofail Network Traffic Security Testing Tool 36

An anonymous reader writes: Google today introduced a new tool for testing network traffic security called Nogotofail. The company has released it as an open source project available on GitHub, meaning anyone can use it, contribute new features, provide support for more platforms, and do anything else with the end goal of helping to improve the security of the Internet. The tool's main purpose is to test whether the devices or applications you are using are safe against known TLS/SSL vulnerabilities and misconfigurations. Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."
This discussion has been archived. No new comments can be posted.

Google Releases Open Source Nogotofail Network Traffic Security Testing Tool

Comments Filter:
  • Really, are there people reading slashdot who don't know what open source means? The summary could have been trimmed down a fair bit by excluding that segment.
    • That's not strictly equivalent; just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions.
      • >> just because something gets released under a FLOSS license doesn't say anything about the policy of the original developers regarding outside contributions ...except for the fact that anyone could fork it as "neinjumpobama" or whatever and contribute to their fork any way they see fit.

        While I see your point about explaining the original developers intentions toward outside contributions, the way the poster explained things makes it sound like anyone can contribute features to ANYTHING on GitHub (w

  • I can't think of a name that would poke any harder at Apple.

  • Any device? (Score:5, Funny)

    by ArcadeMan ( 2766669 ) on Tuesday November 04, 2014 @04:38PM (#48313233)

    Nogotofail works on Android, iOS, Linux, Windows, Chrome OS, OSX, and "in fact any device you use to connect to the Internet."

    There's nothing for the e-ink Kindle nor the Nintendo DSi, you insensitive clod!

    • Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II [pantechusa.com] god damnit?

      • Indeed, there doesn't seem to be support for any of Nintendo's network-enabled products, nor do I see Dreamcast or for that matter any cellphones (still being manufactured and sold, net enabled and with data plans, believe it or not) that don't run Android *or* iOS. Where is the security auditing tool for my Pantech Link II [pantechusa.com] god damnit?

        If you can get your network-enabled device to talk through a router, nogotofail can test it. Which means your dumbphone is probably out, since it doesn't support Wifi and you probably don't have access to the routers in the cell towers, but the Nintendo and Dreamcast devices can be tested.

        • They are built to be about as user-hostile as anything without the budget for really classy anti-tamper mechanisms can be; but it would be really handy if some of the little 'femtocell' devices were usable with OpenWRT-style firmware. It's hardly impossible for someone other than the telco to have a chat with your cellular modem; but the barriers to entry are very, very, steep compared to wifi, bluetooth, or ethernet links.
    • Nor OpenBSD - maybe Theo told them nicely that they didn't need it :-)

  • by NotInHere ( 3654617 ) on Tuesday November 04, 2014 @04:46PM (#48313291)

    Its interesting that companies that have competing products to github (codeplex, google code) release stuff on github.

    • My guess is that it's because it's a security auditing tool. Looking around Google Code, you'll notice that a lot of auditing tools that used the platform before have moved to github.

      You may speculate over the reason.

    • It's probably because people actually use GitHub.
      Does Google+ have a Facebook page?

    • That is the cool thing about Google.. they are not forced to eat their own dog food ...(with the exception of Vic Gundotra that dropped Twitter once he became Google+ leader [businessinsider.com]....I wonder where is he now?)
    • I wonder why Google did not put it in the Play Store?

      Now I need to sideload apps to be secure?

      • Its a python tool which you run outside your android. If you ran it on your android, you needed superuser, and google wouldn't endorse that, would they?

        • Perhaps on a Nexus device?

          I'm not sure, I've never had one (and always have root)

          I downloaded the package, and Python on my Android, but fell asleep in the docs last night.

          It would be rather interesting to do those types of tests on the wireless operators, and the various Androids in my junk drawer.

          Would running them from a tethered laptop give different results?

          Fun times ahead.

          Cheers

  • Does it have a man-in-the-middle detector? Those are rare, but useful.

    • by hlee ( 518174 )

      Yes, according to https://github.com/google/nogo... [github.com]

      • by Animats ( 122034 )

        No, that's not a man-in-the-middle detector. It's a MITM attacker for test purposes.

        • by hlee ( 518174 )

          It is a MITM vulnerability detector for TLS/SSL among other things, if I understand the intention of the tool correctly. If so, that's fantastic. For example, most TLS/SSL environments are susceptible to a large class of MITM attacks simply because their website exposes both HTTP and HTTPS so then you decide to enable SSL only (perhaps with HSTS) - but did you do it right? Perhaps this tool can tell you. How about testing out a new Certificate Pinning implementation that your lead developer claims will prev

        • Which should highlight if the application you're using can detect the attack or not. If the software you are testing can't detect the MITM, then it's broken. If google could write a better MITM detector, then it should be implemented in the libraries used by every application. Not in a separate tool.
  • It must sting a bit for the guys who work on Google Code [google.com] when Google releases a project on Github...
  • "open source project available on GitHub"

    All you need to know about google code and sourceforge. Stick a fork in it guys (no pun intended!), you're dead.

If you can't get your work done in the first 24 hours, work nights.

Working...