Automated test in the current browser ("Dashboard")

[acdha]

In discussion with colleagues it seemed like a useful addition would be something along the lines of http://ec2-reachability.amazonaws.com/ where a query-string parameter, button click, etc. would trigger a background test to the most important endpoints and report the results with simple summary badging.

Two scenarios for this:

1. A user at a large organization needs to navigate past the helpdesk to get to the network team and that would be easier if the instructions are as simple as “Ask the firewall admin to open [url] and click on the error flag”

2. Basic automated infrastructure regression testing by loading the URL in phantomjs, waiting until the page load event fires, and checking to see if the error state is set.

[lgarron]

So, a dashboard like that AWS page that makes XHR requests to subdomains and summarizes which the browser will connect to?

Not a priority, but I wouldn't be opposed to it. If someone wants to prototype it, I'd be happy to think about putting it somewhere in badssl.com

[lgarron]

A user at a large organization needs to navigate past the helpdesk to get to the network team and that would be easier if the instructions are as simple as “Ask the firewall admin to open and click on the error flag”

Basic automated infrastructure regression testing by loading the URL in phantomjs, waiting until the page load event fires, and checking to see if the error state is set.

I don't really understand either of these. Could you describe in more detail who would do what in these scenarios?

[acdha]

The idea is basically that many large organizations have middle-boxes, software, and group policy which affect their SSL client behaviour[1] and it's unfortunately common for that to be managed by a under-staffed team with limited security expertise, so they might not immediately understand why it's a problem that a request is successful or why it's better to reissue certificates than disable weak DH, SHA-1, etc. warnings.

My idea was that it would be useful to have a way where simply opening a URL would generate a clear error report listing requests which should have failed to minimize the amount of effort required to test for problems, and that would also have the side benefit of making regression testing potentially as simple as a cron task running something like PhantomJS.

1. This came up out of a discussion about https://jhalderm.com/pub/papers/interception-ndss17.pdf

[lgarron]

I've added a minimal dashboard.

TODO:

• [ ] Summary card at the top: "All important tests pass" vs. "At least one important test failed" (consider marking the section headings for "Not Secure" and "Secure" as "Important").
• [ ] Distinguish between network failure and cert error? (Requires CORS on the target resource, therefore CORS support in the browser.)
• [ ] Copyable result summary textarea (including browser UA)
• [ ] Aggressively disable caching for test resources
• [x] Link from front page
• [x] TLSv1, TLSv1.1 tests?
• [ ] Remove spare CSS
• [ ] Split tables across multiple columns (like the badssl.com front page) if we can make it look okay.

Screenshot:

[acdha]

@lgarron This looks great, exactly what I had in mind! I'm going to test it in a few places now