Mozilla Releases “Observatory,” a Website Security Scanner
The free tool checks a site’s SSL configuration and more.
April King, a security engineer at Mozilla, has created a free tool for scanning the security configuration of websites. The tool, named Observatory, was created to help system administrators and developers assess and understand how to implement modern security standards.
Observatory grades websites on what security technologies they implement, and how well they do it. Sites are assigned a score, from an A+ to an F, and each factor is individually broken out to explain what needs to be improved. More than a dozen security technologies are tested, including the site’s SSL/TLS configuration, HTTP headers, use of secure cookies, public key pinning (HPKP), content security policy (CSP) and more. All you have to do is enter in your site’s URL and automated tests assess all of these factors and how you can improve (or implement) them.
One of the key goals of Observatory is to educate. In a blog post on her personal site, King wrote “there wasn’t one place to go for site operators to learn what each of the technologies do, how to implement them, and how important they were.”
Now there is.
Each test in Observatory includes links to Mozilla documentation and guides to help admins improve their site’s configurations, and all the technical jargon is explained through tooltips.
King was also inspired to create the tool after seeing how few websites are implementing modern security technologies: “Observatory has been used to scan over 1.3 million websites so far, and 91% of them don’t take advantage of modern security advances. These aren’t tiny sites either; among these 1.3 million websites are some of the most popular websites in the world.”
Observatory integrates well-known third-party scanning tools such as:
- hsts.preload.appspot.com (A tool used to manage the HSTS preload list)
- securityheaders.io (for testing HTTP headers)
- tls.imirhil.fr (tests configured SSL/TLS cipher suites).
If you are familiar with SSL, you likely know SSL Labs (by Ivan Ristic and Qualys), the most popular tool for testing your site’s SSL configuration, and one that we strongly endorse. Observatory by Mozilla is a great companion to SSL Labs, and they have surprisingly little overlap in functionality.
Observatory performs a basic assessment of your SSL/TLS configuration. SSL Labs provides much more depth on SSL/TLS issues, including any problems with your site’s certificate chain, vulnerability to known attacks, or what user agents are unable to connect to your site. If you have the time (and curiosity), you should use both tools to get the best picture of your site’s security.
Observatory is available now, so start scanning for free! It’s maintained as an open-source project on Github and includes a command line interface utility.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown