mirror of
https://git.sr.ht/~seirdy/seirdy.one
synced 2024-11-24 05:02:10 +00:00
Website tests: add Internet.nl, remove CryptCheck
Internet.nl obsoletes Hardenize and CryptCheck. Also add some nuance to underline-links section
This commit is contained in:
parent
07b87df10c
commit
6f04d296ce
2 changed files with 18 additions and 11 deletions
|
@ -847,6 +847,8 @@ Moreover, several parts of "Making Content Usable for People with Cognitive and
|
||||||
> Some users have trouble when controls have a different look, color, or shape than they have used before. For example, when links do not have underlines and blue or purple text some users will not know there is a link (even if this appears with focus).
|
> Some users have trouble when controls have a different look, color, or shape than they have used before. For example, when links do not have underlines and blue or purple text some users will not know there is a link (even if this appears with focus).
|
||||||
=> https://www.w3.org/TR/coga-usable/#how-it-helps-3 "Making Content Usable for People with Cognitive and Learning Disabilities", section 4.2.5.3: Clearly Identify Controls and Their Use: How it Helps
|
=> https://www.w3.org/TR/coga-usable/#how-it-helps-3 "Making Content Usable for People with Cognitive and Learning Disabilities", section 4.2.5.3: Clearly Identify Controls and Their Use: How it Helps
|
||||||
|
|
||||||
|
This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
|
||||||
|
|
||||||
### Buttons versus links
|
### Buttons versus links
|
||||||
|
|
||||||
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
|
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
|
||||||
|
@ -1609,17 +1611,18 @@ These are the tools I use regularly. I've deliberately excluded tools that would
|
||||||
=> https://testssl.sh/ testssl.sh
|
=> https://testssl.sh/ testssl.sh
|
||||||
=> https://www.ssllabs.com/ssltest/ Qualys SSL Labs' SSL Server Test
|
=> https://www.ssllabs.com/ssltest/ Qualys SSL Labs' SSL Server Test
|
||||||
|
|
||||||
10. CryptCheck: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
|
|
||||||
=> https://tls.imirhil.fr/ CryptCheck
|
|
||||||
|
|
||||||
10. Webbkoll: basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
|
10. Webbkoll: basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
|
||||||
=> https://webbkoll.dataskydd.net/ Webbkoll
|
=> https://webbkoll.dataskydd.net/ Webbkoll
|
||||||
|
|
||||||
11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, Hardenize is an easier-to-understand option.
|
11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
|
||||||
=> https://check-your-website.server-daten.de/ Check Your Website
|
=> https://check-your-website.server-daten.de/ Check Your Website
|
||||||
=> https://www.hardenize.com/ Hardenize
|
|
||||||
|
|
||||||
I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse.
|
12. Internet.nl: possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and RPKI. It also has handy tools to check an email server, and your own personal connection.
|
||||||
|
=> https://internet.nl/
|
||||||
|
|
||||||
|
I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I also excluded Hardenize and CryptCheck, since their scope is covered by Internet.nl.
|
||||||
|
|
||||||
|
I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
|
||||||
|
|
||||||
### Unorthodox tests
|
### Unorthodox tests
|
||||||
|
|
||||||
|
|
|
@ -901,6 +901,8 @@ Some users have trouble when controls have a different look, color, or shape tha
|
||||||
{{< /quotecaption >}}
|
{{< /quotecaption >}}
|
||||||
{{</quotation>}}
|
{{</quotation>}}
|
||||||
|
|
||||||
|
This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
|
||||||
|
|
||||||
### Buttons versus links
|
### Buttons versus links
|
||||||
|
|
||||||
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
|
Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
|
||||||
|
@ -1641,14 +1643,14 @@ These are the tools I use regularly. I've deliberately excluded tools that would
|
||||||
[testssl.sh (cli)](https://testssl.sh/) OR [SSL Labs' SSL Server Test (web, proprietary)](https://www.ssllabs.com/ssltest/)
|
[testssl.sh (cli)](https://testssl.sh/) OR [SSL Labs' SSL Server Test (web, proprietary)](https://www.ssllabs.com/ssltest/)
|
||||||
: Basically equivalent tools for auditing your TLS setup. I prefer testssl.sh.
|
: Basically equivalent tools for auditing your TLS setup. I prefer testssl.sh.
|
||||||
|
|
||||||
[CryptCheck](https://tls.imirhil.fr/)
|
|
||||||
: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
|
|
||||||
|
|
||||||
[Webbkoll](https://webbkoll.dataskydd.net/)
|
[Webbkoll](https://webbkoll.dataskydd.net/)
|
||||||
: Basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
|
: Basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
|
||||||
|
|
||||||
[Check Your Website](https://check-your-website.server-daten.de/)
|
[Check Your Website](https://check-your-website.server-daten.de/)
|
||||||
: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, [Hardenize](https://www.hardenize.com/) is an easier-to-understand option.
|
: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
|
||||||
|
|
||||||
|
[Internet.nl](https://internet.nl/)
|
||||||
|
: Possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and <abbr>[RPKI](https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)</abbr>. It also has handy tools to check an email server, and your own personal connection.
|
||||||
|
|
||||||
### Unorthodox tests
|
### Unorthodox tests
|
||||||
|
|
||||||
|
@ -1928,7 +1930,9 @@ A special thanks goes out to GothAlice for the questions she answered in <samp>#
|
||||||
|
|
||||||
[^35]: Screen readers aren't alone here. Several programs strip inline formatting: certain feed readers, search result snippets, and textual browsers invoked with the `-dump` flag are some examples I use every day.
|
[^35]: Screen readers aren't alone here. Several programs strip inline formatting: certain feed readers, search result snippets, and textual browsers invoked with the `-dump` flag are some examples I use every day.
|
||||||
|
|
||||||
[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021).
|
[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded [Hardenize](https://hardenize.com/) and [CryptCheck](https://cryptcheck.fr/), since their scope is covered by Internet.nl.
|
||||||
|
|
||||||
|
I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021). Finally, Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
|
||||||
|
|
||||||
[^37]: My site caches HTML and RSS feed for a few hours. I disagree with webhint's recommendations against this: cache durations should be based on request rates and how often a resource is updated. I also disagree with some of its `content-type` recommendations: you don't need to declare UTF-8 charsets for SVG content-type headers if the SVG is ASCII-only and called from a UTF-8 HTML document. You gain nothing but header bloat by doing so.
|
[^37]: My site caches HTML and RSS feed for a few hours. I disagree with webhint's recommendations against this: cache durations should be based on request rates and how often a resource is updated. I also disagree with some of its `content-type` recommendations: you don't need to declare UTF-8 charsets for SVG content-type headers if the SVG is ASCII-only and called from a UTF-8 HTML document. You gain nothing but header bloat by doing so.
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue