From 6f04d296ce7c823be3678b4876208b34515db4e4 Mon Sep 17 00:00:00 2001 From: Rohan Kumar Date: Mon, 26 Sep 2022 09:48:27 -0700 Subject: [PATCH] Website tests: add Internet.nl, remove CryptCheck Internet.nl obsoletes Hardenize and CryptCheck. Also add some nuance to underline-links section --- content/posts/website-best-practices.gmi | 15 +++++++++------ content/posts/website-best-practices.md | 14 +++++++++----- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/content/posts/website-best-practices.gmi b/content/posts/website-best-practices.gmi index 3dedef0..e34109a 100644 --- a/content/posts/website-best-practices.gmi +++ b/content/posts/website-best-practices.gmi @@ -847,6 +847,8 @@ Moreover, several parts of "Making Content Usable for People with Cognitive and > Some users have trouble when controls have a different look, color, or shape than they have used before. For example, when links do not have underlines and blue or purple text some users will not know there is a link (even if this appears with focus). => https://www.w3.org/TR/coga-usable/#how-it-helps-3 "Making Content Usable for People with Cognitive and Learning Disabilities", section 4.2.5.3: Clearly Identify Controls and Their Use: How it Helps +This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases. + ### Buttons versus links Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two! @@ -1609,17 +1611,18 @@ These are the tools I use regularly. I've deliberately excluded tools that would => https://testssl.sh/ testssl.sh => https://www.ssllabs.com/ssltest/ Qualys SSL Labs' SSL Server Test -10. CryptCheck: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties -=> https://tls.imirhil.fr/ CryptCheck - 10. Webbkoll: basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory. => https://webbkoll.dataskydd.net/ Webbkoll -11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, Hardenize is an easier-to-understand option. +11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. => https://check-your-website.server-daten.de/ Check Your Website -=> https://www.hardenize.com/ Hardenize -I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. +12. Internet.nl: possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and RPKI. It also has handy tools to check an email server, and your own personal connection. +=> https://internet.nl/ + +I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I also excluded Hardenize and CryptCheck, since their scope is covered by Internet.nl. + +I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist. ### Unorthodox tests diff --git a/content/posts/website-best-practices.md b/content/posts/website-best-practices.md index f81c1ae..5f8bf47 100644 --- a/content/posts/website-best-practices.md +++ b/content/posts/website-best-practices.md @@ -901,6 +901,8 @@ Some users have trouble when controls have a different look, color, or shape tha {{< /quotecaption >}} {{}} +This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases. + ### Buttons versus links Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two! @@ -1641,14 +1643,14 @@ These are the tools I use regularly. I've deliberately excluded tools that would [testssl.sh (cli)](https://testssl.sh/) OR [SSL Labs' SSL Server Test (web, proprietary)](https://www.ssllabs.com/ssltest/) : Basically equivalent tools for auditing your TLS setup. I prefer testssl.sh. -[CryptCheck](https://tls.imirhil.fr/) -: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties - [Webbkoll](https://webbkoll.dataskydd.net/) : Basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory. [Check Your Website](https://check-your-website.server-daten.de/) -: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, [Hardenize](https://www.hardenize.com/) is an easier-to-understand option. +: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. + +[Internet.nl](https://internet.nl/) +: Possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and [RPKI](https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure). It also has handy tools to check an email server, and your own personal connection. ### Unorthodox tests @@ -1928,7 +1930,9 @@ A special thanks goes out to GothAlice for the questions she answered in # [^35]: Screen readers aren't alone here. Several programs strip inline formatting: certain feed readers, search result snippets, and textual browsers invoked with the `-dump` flag are some examples I use every day. -[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the Permissions-Policy header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the Permissions-Policy header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021). +[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded [Hardenize](https://hardenize.com/) and [CryptCheck](https://cryptcheck.fr/), since their scope is covered by Internet.nl. + + I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the Permissions-Policy header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the Permissions-Policy header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021). Finally, Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist. [^37]: My site caches HTML and RSS feed for a few hours. I disagree with webhint's recommendations against this: cache durations should be based on request rates and how often a resource is updated. I also disagree with some of its `content-type` recommendations: you don't need to declare UTF-8 charsets for SVG content-type headers if the SVG is ASCII-only and called from a UTF-8 HTML document. You gain nothing but header bloat by doing so.