Website tests: add Internet.nl, remove CryptCheck

Internet.nl obsoletes Hardenize and CryptCheck.
Also add some nuance to underline-links section

content/posts/website-best-practices.gmi

@@ -847,6 +847,8 @@ Moreover, several parts of "Making Content Usable for People with Cognitive and
 > Some users have trouble when controls have a different look, color, or shape than they have used before. For example, when links do not have underlines and blue or purple text some users will not know there is a link (even if this appears with focus).
 => https://www.w3.org/TR/coga-usable/#how-it-helps-3 "Making Content Usable for People with Cognitive and Learning Disabilities", section 4.2.5.3: Clearly Identify Controls and Their Use: How it Helps
 
+This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
+
 ### Buttons versus links
 
 Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
@@ -1609,17 +1611,18 @@ These are the tools I use regularly. I've deliberately excluded tools that would
 => https://testssl.sh/ testssl.sh
 => https://www.ssllabs.com/ssltest/ Qualys SSL Labs' SSL Server Test
 
-10. CryptCheck: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
-=> https://tls.imirhil.fr/ CryptCheck
-
 10. Webbkoll: basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
 => https://webbkoll.dataskydd.net/ Webbkoll
 
-11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, Hardenize is an easier-to-understand option.
+11. Check Your Website: slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
 => https://check-your-website.server-daten.de/ Check Your Website
-=> https://www.hardenize.com/ Hardenize
 
-I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse.
+12. Internet.nl: possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and RPKI. It also has handy tools to check an email server, and your own personal connection.
+=> https://internet.nl/
+
+I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I also excluded Hardenize and CryptCheck, since their scope is covered by Internet.nl.
+
+I excluded Security Headers, since it tends to cargo-cult headers regardless of whether or not they are necessary. For instance, it penalizes forgoing the "Permissions-Policy" header even if the CSP blocks script loading and execution. Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
 
 ### Unorthodox tests
 

content/posts/website-best-practices.md

@@ -901,6 +901,8 @@ Some users have trouble when controls have a different look, color, or shape tha
 {{< /quotecaption >}}
 {{</quotation>}}
 
+This stance is not absolute. Users are familiar with very common design patterns, such as navigation bars and search results. Underlines are still preferable, but I find their absence less concerning in these cases.
+
 ### Buttons versus links
 
 Buttons are another type of interactive element. Users are accustomed to recognizing buttons by their visually distinct interactive region. While hyperlinks are only signified by color and a text underline, buttons are signified by a background-color change and/or a visible border. Do not conflate the two!
@@ -1641,14 +1643,14 @@ These are the tools I use regularly. I've deliberately excluded tools that would
 [testssl.sh (cli)](https://testssl.sh/) OR [SSL Labs' SSL Server Test (web, proprietary)](https://www.ssllabs.com/ssltest/)
 : Basically equivalent tools for auditing your TLS setup. I prefer testssl.sh.
 
-[CryptCheck](https://tls.imirhil.fr/)
-: Unlike TLS 1.3, not all TLS 1.2 ciphers are secure. CryptCheck goes a bit further than testssl.sh and SSL Labs when it comes to evaluating TLS 1.2 cipher suites' security properties
-
 [Webbkoll](https://webbkoll.dataskydd.net/)
 : Basic security checks, focusing on HTTP headers. I consider it a spiritual successor to Mozilla's HTTP Observatory.
 
 [Check Your Website](https://check-your-website.server-daten.de/)
-: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports. If you find its reports too overwhelmingly detailed, [Hardenize](https://www.hardenize.com/) is an easier-to-understand option.
+: Slower, more in-depth website checks with an emphasis on security. It covers name server configurations, DNSSEC, DANE, email DNS records, MTA-STS, well-known paths, redirects, certificate transparency, subresource integrity, caching, and well-known ports.
+
+[Internet.nl](https://internet.nl/)
+: Possibly the harshest website security and modernity check on this list, and my personal favorite. Checks for IPv6 reachability, modern cipher suites and key-exchange params, DNSSEC, and <abbr>[RPKI](https://en.wikipedia.org/wiki/Resource_Public_Key_Infrastructure)</abbr>. It also has handy tools to check an email server, and your own personal connection.
 
 ### Unorthodox tests
 
@@ -1928,7 +1930,9 @@ A special thanks goes out to GothAlice for the questions she answered in <samp>#
 
 [^35]: Screen readers aren't alone here. Several programs strip inline formatting: certain feed readers, search result snippets, and textual browsers invoked with the `-dump` flag are some examples I use every day.
 
-[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021).
+[^36]: I excluded PageSpeed Insights and GTMetrix since those are mostly covered by Lighthouse. I excluded [Hardenize](https://hardenize.com/) and [CryptCheck](https://cryptcheck.fr/), since their scope is covered by Internet.nl.
+
+    I excluded Security Headers, since its approach seems to be recommending headers regardless of whether or not they are necessary. It penalizes forgoing the <code>Permissions-<wbr />Policy</code> header even if the CSP blocks script loading and execution; see [Security Headers issue #103](https://github.com/securityheaders/securityheaders-bugs/issues/103). I personally find the <code>Permissions-<wbr />Policy</code> header quite problematic, as I noted in August 2021 on [webappsec-permissions-policy issue #189](https://github.com/w3c/webappsec-permissions-policy/issues/189#issuecomment-904783021). Finally, Security Headers doesn't have in-depth checks of the _values_ of headers; Internet.nl does a much better job of that. Security should be a thoughtful process, not a checklist.
 
 [^37]: My site caches HTML and RSS feed for a few hours. I disagree with webhint's recommendations against this: cache durations should be based on request rates and how often a resource is updated. I also disagree with some of its `content-type` recommendations: you don't need to declare UTF-8 charsets for SVG content-type headers if the SVG is ASCII-only and called from a UTF-8 HTML document. You gain nothing but header bloat by doing so.
 

scripts/populate-webrings.sh

@@ -65,14 +65,17 @@ values_to_csv() {
 }
 
 # values for the GEORGE webring
-george() {
-	printf 'GEORGE,'
-	{
-		curl -sSL --compressed 'https://george.gh0.pw/embed.cgi?seirdy' \
-		| htmlq -a href 'main p a' 
-		echo "null"
-	} | values_to_csv
-}
+# Left bc I quit trying to make a good first-party iframe alternative
+# that conformed to my site design standards while also imparting the
+# message of GEORGE as intended.
+# george() {
+# 	printf 'GEORGE,'
+# 	{
+# 		curl -sSL --compressed 'https://george.gh0.pw/embed.cgi?seirdy' \
+# 		| htmlq -a href 'main p a' 
+# 		echo "null"
+# 	} | values_to_csv
+# }
 
 endless_orbit() {
 	printf 'Endless Orbit,'
@@ -96,7 +99,7 @@ netizens() {
 }
 
 print_csv_values() {
-	george
+	# george
 	endless_orbit
 	netizens
 }