There's a lot of DNS noise more than actual outgoing connections. I suspect it would save time it we only ran testssl for real observed connections. So, I propose:
Watch for DNS answers (udp port 53 incoming), and cache IP => domain
Watch, simultaneously, for HTTPS (port 443 tcp).
a. look up the domain name for this connection from the DNS cache
b. we have to assume that the most recent DNS answer goes with the most recent HTTPS connection
we could maybe make this more accurate by caching (LAN IP, remote IP) => domain instead
Run testssl on this domain
I also suggest that we watch for HTTP (tcp port 80) -- which is in the clear, so we can straight up sniff their content -- and flag everything that doesn't immediately HTTP 302 their content to the HTTPS version of the same site.
There's a lot of DNS noise more than actual outgoing connections. I suspect it would save time it we only ran testssl for real observed connections. So, I propose:
I also suggest that we watch for HTTP (tcp port 80) -- which is in the clear, so we can straight up sniff their content -- and flag everything that doesn't immediately HTTP 302 their content to the HTTPS version of the same site.