Open deknos opened 3 years ago
lgarron
commented
3 years ago Are the descriptions at https://badssl.com/dashboard/ sufficiently useful?
I think it would not be a good use of front page space to host such descriptions, and I think it's hard in general to maintain descriptions about the full implications of particular security issues. But we could certainly add more info if someone has a good concrete idea for how to add it.
christhompson
commented
3 years ago One idea that comes to mind for how to implement this would be as a hover card on the dashboard (maybe an (i) icon to give an affordance for the hover state), which could show a blurb about each test case, defined in the dashboard file. Definitely adds some maintenance overhead but it seems like it could be useful.
On Sun, Mar 21, 2021 at 4:42 PM Lucas Garron @.***> wrote:
Are the descriptions at https://badssl.com/dashboard/ sufficiently useful?
I think it would not be a good use of front page space to host such descriptions, and I think it's hard in general to maintain descriptions about the full implications of particular security issues. But we could certainly add more info if someone has a good concrete idea for how to add it.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/chromium/badssl.com/issues/468#issuecomment-803681908, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAA3VWD2QO7NJ67G2GF4KYTTEZ75FANCNFSM4ZRZCGEA .
deknos
commented
3 years ago uh, the dashboard is actually great! I totally overlooked that link. But the explanations are a bit vague.
For example for the expired thingi: Attack Vectors could be:
i know many are dublettes and some are very unprobable, but this would be actually make it for new people to the infosec-area more.. graphic and understandable if they have concrete examples.
janbrasna
commented
2 years ago I'm too in the camp "overlooked there's a dashboard" and "why is no tooltip showing this icon's meaning" — I guess there's some room for making feature or content disclosure more obvious (like to separate the dashboard link from the test cases, maybe make it a part of some intro information, to make the dashboard more prominent… +the fact it's actually a live test of your ua… which is something that's also not mentioned anywhere {until I've seen the console hits for the various hosts' images I didn't think of it as a live test, rather just a general compatibility/support recap}, all of that's just too valuable to be overlooked by outsiders like me not familiar with the site's features beforehand), with accessibility issues here and there too. I'll look into what can be improved if there's interest.
While I don't think it's reasonable to keep own descriptions of the issues or attacks, it would be helpful if the different reasons for weak crypto or cipher obsolescence might at least be linked to, to some reference source (like weakdh, mozilla wiki, chrome intent to ship etc.), as to why is the consensus here to mark them such.
Hello, would it possible to have some explanation, which problems might be exploited in certain ways? so it's not only clear, that it IS a problem, but also it's severity and what attackers can do?
That might be really neat :)