Mozilla releases free website security scanning service

With the purpose of offering better protection to webmasters’ websites and users, Mozilla has launched an online scanner to check the latest security situation of web servers.

This tool called Dubbed Observatory was originally applied for in-house use by Mozilla security engineer April King, who then decided to improve the tool and make it available throughout the cyber world.

She was inspired by the SSL Server Test developed by Oualys’ SSL Labs, a widely used scanner that offers user the rates of specific website’s SSL/TLS configuration information and notifies users the potential vulnerabilities. Similar to Qualy,Observatory has a scoring system of 0 to 100 – with the possibility of extra bonus point–which could be regarded as F to A+.

Different from the SSL Server Test, which only checks up a website’s TLS implementation, Mozilla’s Observatory offers the browser a wide range of scan for web security mechanisms, including cookie security flags, Cross-Origin Resource Sharing (CORS), Content Security Policy (CSP), HTTP Public Key Pinning, HTTP Strict Transport Security (HSTS), redirections, subresource integrity, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and more.

The tool doesn’t only diagnose the presence of these technologies, but also whether they’re installed accurately. But is doesn’t make a scan for the vulnerabilities in the actual website code, something that could be found in a large number of free and commercial utilities.

In some respects, obtaining a secure website’s configuration information-applying all the available scheme developed during the recent years by browser developers-is more difficult than finding and patching code flaws.

“These technologies are spread over dozens of standard documents, and while individual articles may talk about them, there wasn’t one place to go for site operators to learn what each of the technologies do, how to implement them, and how important they were,” King said in one of her blog posts.

This struggle of find easy-to-understand resources about these website security features has contributed to their low adoption rate, displayed in a scan of 1.3 million websites launched with Observatory. There were only 121,984 of them reached to the passing grade.

There exists several Mozilla’s own websites which failed to pass the test. For example, when it was first scanned by Observatory, addons.mozilla.org, one of Mozilla’s essential websites, only got an F. But these issues have been solved and the website now is rated A+.

The Observatory test results seems to be user-friendly for it provides links back to Mozilla’s web security guidelines, which contain descriptions as well as implementation examples. This offers the website administrators an easier path to understand the issues found by the scan launched by Observatory.

“Of course, the results for the Observatory may not be perfectly accurate for your site—after all, the security needs of a site like GitHub are a good deal more complicated than those of a personal blog,” King said. “By encouraging the adoption of these standards even for low-risk sites, we hope to make developers, system administrators, and security professionals around the world comfortable and familiar with them.”

The code specifically developed by Observatory is open source. It has an API and command-line utilities that are available for administrators who have the needs to make scan for a large number of websites periodically or who wish to perform a scan internally.

No comments yet.

Leave a Reply