Add data on use of STARTTLS email server encryption

[csoghoian]

In addition to displaying data on the use of HTTPS, it would be great to do the same for agency use of STARTTLS for server -> server email encryption.

[konklone]

Can you recommend any high-quality open source measurement tools?

We're not above using proprietary APIs (we used the SSL Labs API for HTTPS), but we'd prefer not to do so -- and even with SSL Labs, we used an open source client.

Unfortunately, the code behind starttls.info, which you and I have both used before, does not appear to be open source -- the repo is only there for the issue tracker. Consider petitioning them to change that.

[konklone]

Also, have you tried scanning .gov at all yet? The first step, after identifying the right tool, is to just look at a scan and get to know the shape of the data and what fields are interesting.

[ageis]

If you check out the following URL: https://starttls.info/api/check/gsa.gov - starttls.info indeed has an open API that returns a JSON object with some grades and info. I'm optimistic that we can get the developers to open source it and that they would be sympathetic to that. In my experience doing this survey I found some things about that site which could be improved, in other words it's ripe for further development.

[einaros]

I'm +1 on open sourcing https://starttls.info, although I'd hoped to complete the in-progress version before doing so. I do have a new scanner vaguely operational, and tidying up the front-end shouldn't be too much work.

Would any of you happen to have ideas for people or organizations that would be willing to give a hand?

[garrettr]

@einaros Freedom of the Press Foundation and our developers would be willing to gave a hand! We're interested in using both Pulse and starttls.info to encourage news sites to implement HTTPS and STARTTLS, and to track their progress in doing so.

[semenko]

Hey cool -- we might be able to help here. Myself and a classmate are putting the finishing touches on a Pulse-esque evaluation of healthcare security hygiene & best practices (called the Trustworthy Healthcare Initiative).

We've got some Python code we'll be open-sourcing soon -- which includes STARTTLS / DANE TLSA / SPF / DKIM checks. It's currently based on parsing open datasets (e.g. scans.io -- since confused healthcare organizations think dig is a magic hacker tool). I'll try to open a PR here soon with some scanning capability.

[konklone]

Myself and a classmate are putting the finishing touches on a Pulse-esque evaluation of healthcare security hygiene & best practices (called the Trustworthy Healthcare Initiative).

Ahhhh, this is really cool. And some helpful UX inspiration.

I'll try to open a PR here soon with some scanning capability.

Take a look at https://github.com/18F/domain-scan, if you're interested in tying into that at all. :)

[garrettr]

Hey @einaros @semenko, have you had a chance to work on a STARTTLS scanning PR? I was thinking about writing a pull request to add STARTTLS scanning functionality to domain-scan, but if either of you are already working on that I don't want to duplicate effort.

[semenko]

I haven't started -- and probably won't get a chance until after July 10th. Give it a whirl!

[conorsch]

@einaros If you're willing to push the current build of starttls.info to its public repo, you can expect contributions from a few folks eager to extend the project, myself included. If you'd prefer to do an invite-only cleanup of the existing codebase, happy to help there, too.

[garrettr]

I'm just checking in on the status of the various projects we've discussed in this thread so far, since it's been 3 weeks since the last comment.

I implemented a STARTTLS scanner based on starttls.info for domain-scan in #33, which is the first necessary step in adding info about STARTTLS usage to Pulse. The scanner works fairly well but there are numerous things about starttls.info that need improvement, such as uncertain and sometimes straight up incorrect scoring methodology, difficult-to-use and undocumented API's, etc.

@einaros Our developers at Freedom of the Press Foundation are still happy to help with an open-source version of starttls.info. Can you give us an update on the progress toward releasing that code?

Alternatively, if we cannot improve starttls.info in a timely manner, it may be preferable to develop our own STARTTLS scanner. @semenko, are you still interested in this? We'd be happy to help out with development in any way you need. (In addition, some of the other scanners you mentioned would be great to have too!)

[semenko]

Hey @garrettr -- still high on my todo list -- right after my thesis defense in September.

Again, our code for Trustworthy Healthcare is based on parsing open public databases like scans.io -- so it'll take some tweaks to scan STARTTLS info directly.

[gbinal]

Thanks for the good idea - I've added this to the list we keep of potential expansions to pulse but am going to go ahead and close the issue in the meantime. We're hoping to add more scans to pulse in FY'17 and will follow up here if this is chosen.

Again, thanks for the great idea and please share any others.