In order to help webmasters better protect their websites and users, Mozilla has designed an online scanner that can check whether web servers have the best security settings.
Dubbed the Observatory, the tool was originally designed for internal use by Mozilla security engineer April King, who was later encouraged to expand it and make it available worldwide.
It was inspired by the SSL Server Test from Qualys SSL Labs, a popular scanner that assesses a website’s SSL / TLS configuration and highlights potential weaknesses. Like Qualys’ scanner, Observatory uses a 0 to 100 scoring system – with the possibility of additional bonus points – which translates into ratings from F to A +.
Unlike the SSL Server Test, which only checks a website’s TLS implementation, Mozilla Observatory looks for a wide variety of web security mechanisms. These include Cookie Security Flags, Cross Origin Resource Sharing (CORS), Content Security Policy (CSP), HTTP Public Key Pinning, Strict HTTP Transport Security (HSTS) , redirects, sub-resource integrity, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and more.
The tool not only checks for the presence of these technologies, but also if they are correctly implemented. What the tool does not do is check the website code for vulnerabilities, which is already there in a lot of free and commercial tools.
In some ways, achieving a secure website setup – using all available technologies developed in recent years by browser manufacturers – is even more difficult than finding and fixing vulnerabilities in the code.
“These technologies are spread over dozens of standard documents, and while individual articles may talk about them, there wasn’t a single place to go for site operators to learn what each of the technologies does, how to put them. implemented and how important they were. “King said in a blog post.
This difficulty in finding easy-to-understand resources on these website security features contributed to their low adoption rate, reflected in an analysis of 1.3 million websites performed with Observatory. Only 121,984 received a passing grade.
Some of Mozilla’s websites were among those that failed the test. For example, in its first review with Observatory, addons.mozilla.org, one of the organization’s most important websites, received an F. The issues have since been resolved and the website is now rated A + .
Observatory test results are presented in a user-friendly manner with links to Mozilla’s web security guidelines, which contain descriptions and examples of implementation. This makes it easier for website administrators to understand and prioritize issues found during analysis.
“Of course, Observatory results may not be perfectly accurate for your site – after all, the security needs of a site like GitHub are far more complicated than those of a personal blog,” King said. “By encouraging adoption of these standards, even for low-risk sites, we hope developers, system administrators and security professionals around the world will be comfortable and familiar with them.
The code behind Observatory is open source. A command line API and tools are available for administrators who need to periodically scan a large number of websites or want to perform these scans internally.
Copyright © 2016 IDG Communications, Inc.