Task #2026
closedscan sites with observatory.mozilla.org
0%
Description
We should scan our sites with observatory.mozilla.org and see which errors are fixable (e.g. lack of OCSP Stapling which worked before) and which ones are optional (e.g. forced HTTPS).
Related issues
Updated by Florian Effenberger about 8 years ago
- URL set to https://observatory.mozilla.org/analyze.html?host=libreoffice.org
Updated by Florian Effenberger about 8 years ago
- Assignee changed from Christian Lohmaier to Guilhem Moulin
re-assigning to Guilhem in order to clean up Redmine queues
nothing concrete to do at the moment
Updated by Florian Effenberger about 8 years ago
- Related to Task #2115: Request certs from Let's Encrypt for each HTTPS vhost added
Updated by Florian Effenberger about 8 years ago
- Target version changed from Qlater to Q4/2016
Updated by Florian Effenberger almost 8 years ago
- Target version changed from Q4/2016 to Q1/2017
Updated by Florian Effenberger almost 8 years ago
- Target version changed from Q1/2017 to Q2/2017
Makes only sense after all the migrations have been done, shifting to Q2
Updated by Florian Effenberger over 7 years ago
- Target version changed from Q2/2017 to Pool
Updated by Florian Effenberger over 7 years ago
- Priority changed from Normal to High
- Target version changed from Pool to Q3/2017
Updated by Florian Effenberger about 7 years ago
With the HTTPS ticket (#2312) pending, the results won't be optimal - but if possible, I'd like to see a first scan by LibOCon, so we know if there is something else that needs to be fixed independently
Updated by Florian Effenberger about 7 years ago
Eike pointed me to https://webbkoll.dataskydd.net which is an additional service to check with
Updated by Florian Effenberger about 7 years ago
- Target version changed from Q3/2017 to Q4/2017
Updated by Florian Effenberger almost 7 years ago
- Related to Task #2441: Start using the headers Content Security Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection added
Updated by Florian Effenberger over 6 years ago
- Target version changed from Q4/2017 to Q1/2018
Can we run a first scan this quarter, Guilhem? For another tasks you're collecting all VHosts anyways, so doing a first run to get a first impression would be great. We then can decide when and how to act on the findings.
Updated by Florian Effenberger over 6 years ago
- Target version changed from Q1/2018 to Q2/2018
I know you're quite swamped with other things, but let's aim for getting that done by end-Q2 :-)
Updated by Florian Effenberger over 6 years ago
What prevents us from doing that? This has been pending since last LibOCon actually, and it shouldn't take too much time IMHO to do a first run
Is this sth. maybe another team member can help with?
Updated by Guilhem Moulin over 5 years ago
I'm personally really not fond of the hype for gamification of security, and blindly applying the same scoring algorithm for all services doesn't make sense IMHO. For example for a bunch of static & self-contained pages that are only modifiable by root, a CSP is far less useful than for a forum with user-provided content. Sure, a strict CSP doesn't hurt, but a missing CSP will significantly lower the score equally in both cases, thus in my eyes the score should be taken with a grain of salt. Blindly aiming for a perfect score, and give ourselves a pad on the back and brag about it when/if we're there, isn't necessarily helpful.
FWIW the checks were done a while ago already (2018). Also it's a third party service, no need to have special infra powers for that — some stuff, like HSTS and HPKP, should be implemented by the infra team indeed; for others like CSP, referrer policy and other custom headers the various upstream frontends are in a much better position to do that (or document it so we can it to our HTTPd config).
HSTS, HPKP and CSP have been on the table for a while, see old infra call minutes; for the rest we need to have hints from the various upstream teams. They might need to refactor their code accordingly too, for instance isolate the CSS/JS code — for some, like Nextcloud, it's already in place; for the rest we need to wait for new releases.
Updated by Florian Effenberger over 5 years ago
- Status changed from New to Closed
Fine for me if it was done in 2018 and no immediate problems were found