search

freedomofpress / securethenews

An automated scanner and web dashboard for tracking TLS deployment across news organizations
https://securethe.news
GNU Affero General Public License v3.0
100 stars 25 forks source link

Consider tracking HSTS as top-level metric #224

Open eloquence opened 4 years ago

eloquence commented 4 years ago

(Thanks to @nondescriptuser for the suggestion.)

We currently track the following top-level metrics:

98% - of news sites offer HTTPS 95% - default to to HTTPS

Given the high adoption of HTTPS in the Global North, we should consider tracking HSTS adoption as its own top-level metric, potentially replacing the "default to HTTPS" metric.

eloquence commented 3 years ago

@redshiftzero This may be something the web team will have bandwidth to work on in the near-term, any thoughts from your end on how useful this would be, and how it should be presented in the results?

nondescriptuser commented 3 years ago

The website now tracks the following:

97% - Of news sites offer HTTPS 95% - default to HTTPS 5% - Of news sites offer onion services 135 - total news sites

If it were still possible to insert a metric for HSTS adoption in there, in the middle, that would be much appreciated.

Granted, would having HSTS adoption, in and of itself, be the item to track, or would it be 'HSTS adoption with a min max age'? I would lean towards the former, as the latter could be a mouthful. It could also be challenging to include short of defining what is a 'min max age.' A max age of at least 18 weeks? Yet, specifying in a top-level metric as 'HSTS with a max-age >= 18 weeks' could be wordy.

Also to note: At the time that the suggestion was made, sites that had HTTPS by default would receive a grade of 'B' (70). Those sites that had HTTPS by default, along with HSTS, would have, at a minimum, a 'B+' (75). This was on account of the grading methodology having yielded at least a +5 for offering HSTS. Now, however, the boost is a +4. In this way, those sites that do offer HSTS are sites that get the same grade as those without. (Sites with HSTS do get listed above those sites with just HTTPS by default, but the grades are the same.)

Would it be possible to adjust this somehow such that HSTS would confer a higher grade? Perhaps sites with HTTPS by default could start at a grade of 68 (C+), and then if they get at least a +4 or +5 for HSTS, this would push them up to a B. Alternatively, would it be possible to set sites that receive a 70 to receive a B-, while sites that get a 74 could obtain a B?