Stories
Slash Boxes
Comments

SoylentNews is people

Mozilla Launches Website Security Testing Tool

posted by cmn32480 on Monday August 29 2016, @05:03AM   Printer-friendly
from the will-it-be-bloated? dept.

ticho writes:

Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.

The tool, named "Observatory," was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.

Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.

[...] "Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory's tests, don't panic — just take a look at its recommendations and consider implementing them to make your site more secure," King said.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Mozilla Launches Website Security Testing Tool | Log In/Create an Account | Top | 17 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by NCommander on Monday August 29 2016, @12:51PM

    by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday August 29 2016, @12:51PM (#394632) Homepage Journal

    What's rather depressing about Mozilla is of the three-major browsers, they're the only one that really seems to take web security seriously at all. Chrome for instance doesn't check for SSL revocated certificates due to performance reasons, opting for a very non-standard CRLSet implementation, and ignoring 99% of all real revocations. They've also drafted work towards OCSP-Must-Staple. That being said, they've weakened their views a lot, they backtracked from implementing DANE support in the browser, as well as backing way from implementing opportunistic encryption*

    Citation: https://www.grc.com/revocation/crlsets.htm [grc.com]

    For awhile, I could load https://revoked.grc.com [grc.com] without error in Chrome. It only recently got put back into the CRLSet.

    * - though I can see technical reasons on why they may have decided to abandon this but I can't find any official word or even mention of them

    (Microsoft on the other hand is determined only to support new ciphers and encryption protocols as part of Windows major releases, and frequently ships them disabled. Windows 7-8.1 supports TLS 1.1/1.2 out of the box, but you have to enable it as part of the registry. TLS 1.0/1.1 would be dead if Microsoft would release an update retroactively enabling it on older Windows.)

    --
    Still always moving
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2