Mozilla Releases “Observatory,” a Website Security Scanner
 Mozilla Releases “Observatory,” a Website Security Scanner
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
August 29, 2016 Comments closed

Mozilla Releases “Observatory,” a Website Security Scanner

in Industry Lowdown

The free tool checks a site’s SSL configuration and more.

April King, a security engineer at Mozilla, has created a free tool for scanning the security configuration of websites. The tool, named Observatory, was created to help system administrators and developers assess and understand how to implement modern security standards.

Observatory grades websites on what security technologies they implement, and how well they do it. Sites are assigned a score, from an A+ to an F, and each factor is individually broken out to explain what needs to be improved. More than a dozen security technologies are tested, including the site’s SSL/TLS configuration, HTTP headers, use of secure cookies, public key pinning (HPKP), content security policy (CSP) and more. All you have to do is enter in your site’s URL and automated tests assess all of these factors and how you can improve (or implement) them.

One of the key goals of Observatory is to educate. In a blog post on her personal site, King wrote “there wasn’t one place to go for site operators to learn what each of the technologies do, how to implement them, and how important they were.”

Now there is.

Each test in Observatory includes links to Mozilla documentation and guides to help admins improve their site’s configurations, and all the technical jargon is explained through tooltips.

King was also inspired to create the tool after seeing how few websites are implementing modern security technologies: “Observatory has been used to scan over 1.3 million websites so far, and 91% of them don’t take advantage of modern security advances. These aren’t tiny sites either; among these 1.3 million websites are some of the most popular websites in the world.”

Observatory integrates well-known third-party scanning tools such as:

  • hsts.preload.appspot.com (A tool used to manage the HSTS preload list)
  • securityheaders.io (for testing HTTP headers)
  • tls.imirhil.fr (tests configured SSL/TLS cipher suites).

If you are familiar with SSL, you likely know SSL Labs (by Ivan Ristic and Qualys), the most popular tool for testing your site’s SSL configuration, and one that we strongly endorse. Observatory by Mozilla is a great companion to SSL Labs, and they have surprisingly little overlap in functionality.

Observatory performs a basic assessment of your SSL/TLS configuration. SSL Labs provides much more depth on SSL/TLS issues, including any problems with your site’s certificate chain, vulnerability to known attacks, or what user agents are unable to connect to your site. If you have the time (and curiosity), you should use both tools to get the best picture of your site’s security.

Observatory is available now, so start scanning for free! It’s maintained as an open-source project on Github and includes a command line interface utility.

Author

Vincent Lynch

The SSL Store’s encryption expert makes even the most complex topics approachable and relatable.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now