Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.
The tool, named "Observatory," was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.
Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.
[...] "Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory's tests, don't panic — just take a look at its recommendations and consider implementing them to make your site more secure," King said.
(Score: 4, Touché) by KritonK on Monday August 29 2016, @07:21AM
...and it failed:
Host: mozilla.org
Scan ID #: 1483465
Test Time: August 29, 2016 9:45 AM
Test Duration: 3 seconds
Score: 40/100
Tests Passed: 5/11
Perhaps they should use the Mozilla “Modern” TLS configuration, whatever that is, as the test itself suggests.
(Score: 2) by Username on Monday August 29 2016, @09:26AM
I for one fully expected that. They railed all their good people out of the company, and always seem to throw their dev money at feminist charities.
PS: I set a static dns route to loopback for that address because for some reason my Firefox auto updates itself event when that option is turned off. No reason to go to that site anyway, documentation when it exists is horrendously out of date or just plain wrong.
(Score: 2) by NCommander on Monday August 29 2016, @12:51PM
What's rather depressing about Mozilla is of the three-major browsers, they're the only one that really seems to take web security seriously at all. Chrome for instance doesn't check for SSL revocated certificates due to performance reasons, opting for a very non-standard CRLSet implementation, and ignoring 99% of all real revocations. They've also drafted work towards OCSP-Must-Staple. That being said, they've weakened their views a lot, they backtracked from implementing DANE support in the browser, as well as backing way from implementing opportunistic encryption*
Citation: https://www.grc.com/revocation/crlsets.htm [grc.com]
For awhile, I could load https://revoked.grc.com [grc.com] without error in Chrome. It only recently got put back into the CRLSet.
* - though I can see technical reasons on why they may have decided to abandon this but I can't find any official word or even mention of them
(Microsoft on the other hand is determined only to support new ciphers and encryption protocols as part of Windows major releases, and frequently ships them disabled. Windows 7-8.1 supports TLS 1.1/1.2 out of the box, but you have to enable it as part of the registry. TLS 1.0/1.1 would be dead if Microsoft would release an update retroactively enabling it on older Windows.)
Still always moving