RFE: Possibility for grading quality of TLS connection

[hardfalcon]

SSLeuth offered a simple grading of the TLS connections quality, based upon factors like "strength of the symmetric encryption", "strength of the key exchange", "strength of the MAC/AEAD", "forward secrecy", "extended validation", "certificate status", etc, where the wheight for every single factor could be configured.

A similar feature would be nice to have, perhaps even rendering the grading directly onto the extension's icon in the URL bar.

[april]

This is a pretty big undertaking, and might be better as a separate project.

I would say about 80% or so of what SSLeuth looks at is possible with the new API. Is it still relevant when services like SSL Labs will provide a much more in-depth analysis?

[rugk]

My main use case for SSLeuth was to quickly see if a connection was not the best. I just cannot and do not scan each site I visit with SSLLabs. So, SSLeuth shows you:

• info for each site I visit, directly in the URL bar, i.e. it's much faster
• the grading of the current connection, not a general assesment
• you may adjust your behavior/not visit the site, if the grading is too bad

[hardfalcon]

@april: Exactly what @rugk said/wrote.

[rugk]

As for a replacement given WebExtensions contrainst I guess a colored grading in the icon and/or badge would be good, combined with a popup menu, as it is really not needed to open the whole new tag page for it.

[km-js]

hey @april I would like to contribute on this one being an outreachy aspirant. Can you please suggest me which code to touch?

[april]

I don't think this would be a particularly good task for an outreachy aspirant, especially given that I don't even know how I would grade connections at this point.

[noahwalugembe]

Hi @april . I believe i can work on this can i go on.

[april]

I don't even know how I would do this. If you want to write up a proposal I could certainly take a look at it, but the scope of this is probably far beyond any other bug.

[noahwalugembe]

I don't even know how I would do this. If you want to write up a proposal I could certainly take a look at it, but the scope of this is probably far beyond any other bug.

I have created the proposal for grading quality of TLS connection. Pleas allow me to work on it.

Proposal.pdf

[noahwalugembe]

I don't even know how I would do this. If you want to write up a proposal I could certainly take a look at it, but the scope of this is probably far beyond any other bug.

@april I have created the proposal for grading quality of TLS connection. Pleas allow me to work on it.

Proposal.pdf

[rugk]

So you want to use HTTP Observatory. The things I see here:

• privacy impact: the user has to know their domain is sent to a third-party service
• more analysis: HTTP Observatory analyses more than just HTTPS. (it's a big part, but it also takes HTTP headers etc. into account) So this can be a little misleading...

And personally, I still consider this out of scope of this add-on. It would possibly better fit into a new add-on...

[noahwalugembe]

So you want to use HTTP Observatory. The things I see here:

• privacy impact: the user has to know their domain is sent to a third-party service
• more analysis: HTTP Observatory analyses more than just HTTPS. (it's a big part, but it also takes HTTP headers etc. into account) So this can be a little misleading...

And personally, I still consider this out of scope of this add-on. It would possibly better fit into a new add-on...

Hi @april I believe we can prompt a user reject or allow us send his or her domain name to a third-party service. So far i have most of the code working and and i can start making commits it wont cost me much time to accomplish. Pleas allow me do this task.

[rugk]

I am not @april I am just watching this repo as I like the add-on giving my two cents. So let's first see what @april actually says...

[april]

The HTTP Observatory doesn't do any grading of TLS, nor does the TLS Observatory. Nothing in this proposal would address the request in the issue, @noahwalugembe. Further, tools like SSL Labs and the TLS Observatory also only address available cipher suites and protocols, but they don't grade what the browser is actually using.

Sorry, I don't think this issue is at an appropriate complexity level for you to address.

[noahwalugembe]

The HTTP Observatory doesn't do any grading of TLS, nor does the TLS Observatory. Nothing in this proposal would address the request in the issue, @noahwalugembe. Further, tools like SSL Labs and the TLS Observatory also only address available cipher suites and protocols, but they don't grade what the browser is actually using.

Sorry, I don't think this issue is at an appropriate complexity level for you to address.

Thanks @april for your advise. Is it okay if i can ask you to get form me some new bugs which i can work on this week. Pleas give me a hand. I really need to contribute so as to qualify for internship with outreachy. I will my pleasure to work with you on this project.

[FranklinYu]

The grading is both subjective and transient (what is secure now may not be secure in 2 years). I don’t think this function is in scope of the project.