fmaury/seirdy.one
1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-09-19 20:02:10 +00:00
Code Issues Projects Releases Wiki Activity

Website tests: add Internet.nl, remove CryptCheck

Browse source 
Internet.nl obsoletes Hardenize and CryptCheck.
Also add some nuance to underline-links section
This commit is contained in:
Rohan Kumar 2022-09-26 09:48:27 -07:00
parent 07b87df10c
commit 6f04d296ce
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
2 changed files with 18 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
content/posts/website-best-practices.gmi
View file

@ -847,6 +847,8 @@ Moreover, several parts of "Making Content Usable for People with Cognitive and
> Some users have trouble when controls have a different look, color, or shape than they have used before. For example, when links do not have underlines and blue or purple text some users will not know there is a link (even if this appears with focus).
=> https://www.w3.org/TR/coga-usable/#how-it-helps-3 "Making Content Usable for People with Cognitive and Learning Disabilities", section 4.2.5.3: Clearly Identify Controls and Their Use: How it Helps
This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
### Buttons versus links
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
@ -1609,17 +1611,18 @@ These are the tools I use regularly. I've deliberately excluded tools that would
=> https://testssl.sh/ testssl.sh
=> https://www.ssllabs.com/ssltest/ Qualys SSL Labs' SSL Server Test
10. CryptCheck: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
=> https://tls.imirhil.fr/ CryptCheck
10. Webbkoll: basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
=> https://webbkoll.dataskydd.net/ Webbkoll
11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, Hardenize is an easier-to-understand option.
11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
=> https://check-your-website.server-daten.de/ Check Your Website
=> https://www.hardenize.com/ Hardenize
I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse.
12. Internet.nl: possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and RPKI. It also has handy tools to check an email server, and your own personal connection.
=> https://internet.nl/
I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I also excluded Hardenize and CryptCheck, since their scope is covered by Internet.nl.
I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
### Unorthodox tests

14
content/posts/website-best-practices.md
View file

@ -901,6 +901,8 @@ Some users have trouble when controls have a different look, color, or shape tha
{{< /quotecaption >}}
{{</quotation>}}
This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
### Buttons versus links
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
@ -1641,14 +1643,14 @@ These are the tools I use regularly. I've deliberately excluded tools that would
[testssl.sh (cli)](https://testssl.sh/) OR [SSL Labs' SSL Server Test (web, proprietary)](https://www.ssllabs.com/ssltest/)
: Basically equivalent tools for auditing your TLS setup. I prefer testssl.sh.
[CryptCheck](https://tls.imirhil.fr/)
: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
[Webbkoll](https://webbkoll.dataskydd.net/)
: Basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
[Check Your Website](https://check-your-website.server-daten.de/)
: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, [Hardenize](https://www.hardenize.com/) is an easier-to-understand option.
: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
[Internet.nl](https://internet.nl/)
: Possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and <abbr>[RPKI](https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)</abbr>. It also has handy tools to check an email server, and your own personal connection.
### Unorthodox tests
@ -1928,7 +1930,9 @@ A special thanks goes out to GothAlice for the questions she answered in <samp>#
[^35]: Screen readers aren't alone here. Several programs strip inline formatting: certain feed readers, search result snippets, and textual browsers invoked with the `-dump` flag are some examples I use every day.
[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021).
[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded [Hardenize](https://hardenize.com/) and [CryptCheck](https://cryptcheck.fr/), since their scope is covered by Internet.nl.
I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021). Finally, Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
[^37]: My site caches HTML and RSS feed for a few hours. I disagree with webhint's recommendations against this: cache durations should be based on request rates and how often a resource is updated. I also disagree with some of its `content-type` recommendations: you don't need to declare UTF-8 charsets for SVG content-type headers if the SVG is ASCII-only and called from a UTF-8 HTML document. You gain nothing but header bloat by doing so.