Mozilla has released a new tool called Observatory that site owners can use to scan their sites and assess their implementation of various security technologies, from HTTPS to public key pinning to cross-site scripting protections.
Mozilla built Observatory as an internal tool to help improve the security of the company’s own sites, which number in the thousands. April King, a security engineer at Mozilla, designed the tool and improved it over time as it was used against Mozilla’s internal sites, many of which did not fare very well in the tests. The tool assigns an overall grade to each site, from A+ to F, based on how many site security technologies easy site implements and how good the implementations are.
King said that more than 1.3 million sites have been scanned by Observatory, and more than 1.2 million of them got a failing grade.
“The Observatory performs a multitude of checks across roughly a dozen tests. You may not have heard of many of them, and that’s because their documentation is spread across thousands of articles, hundreds of websites, and dozens of specifications. In fact, despite some of these standards being old enough to have children, their usage rate amongst the internet’s million most popular websites ranges from 30% for HTTPS all the way down to a depressingly low .005% for Content Security Policy,” King said in a post announcing Observatory’s release.
“Each test you run with the Observatory not only tells you how well you’ve implemented a given standard, but it links back to Mozilla’s single-page web security guidelines, which have descriptions, reasonings, and implementation examples for every test. You can use these guidelines in concert with Observatory scans to continuously improve and monitor the state of your website. For administrators who have lots of sites to test or developers who want to integrate it into their development process, we offer both an API and command-line tools.”
The user interface for Observatory is much like that of SSL Labs, which tests and grades sites’ usage of SSL and various cipher suites. King said that the idea of gamifying the tests and results was an appealing one.
“Drawing upon their experiences, I went to work wrapping the Observatory in an easy-to-use website to make this knowledge available to more than just security professionals. Now anybody with a web browser, URL, and a bit of curiousity will be able to investigate the problems that their sites may have. By providing accessible and transparent results, every member of a development team – regardless of skill level and specialization – will be able to check the URLs that they own or depend on so that they can help push for better security practices that benefit all of us,” King said.
Given that 91 percent of the sites scanned by Observatory got failing grades, there appears to be plenty of need for the tool. And room for sites to improve.