search

mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.86k stars 170 forks source link

Why the grade result is not the same as SslLabs? #420

Closed parhamPudding closed 4 years ago

parhamPudding commented 4 years ago

I use both Sslabs and http-observatory for the same domain. But I can see the grades are not the same. For observatory, the grade is "F", and the same domain has a grade "C" in the SslLabs?

https://api.dev.ssllabs.com/api/v3/analyze?host=yousee.dk&publish=off&startNew=on&fromCache=off&ignoreMismatch=off

https://http-observatory.security.mozilla.org/api/v1/analyze?host=yousee.dk

floatingatoll commented 4 years ago

Those grades aren't comparable to each other at all. They're each grading something different. If you wish to improve your SSLLabs score, you'll need to make changes to the HTTPS SSL/TLS configuration of your web server. If you wish to improve your HTTP Observatory score, you'll need to make changes to the HTTP/HTTPS response headers returned by your web server and/or to the site's HTML content.

The SSLLabs "SSL Server Test" scoring grade of C is evaluating the SSL/TLS security properties of your HTTPS server, but does not itself perform any HTTP/HTTPS request or response evaluation. You can review the warnings at the top of the scoring results for recommendations, such as "disable SSL 3 to mitigate".

The HTTP Observatory scoring grade of F is evaluating the security practices of your website, as delivered over HTTP and/or HTTPS, evaluating the HTTP and HTML responses returned by your web server, but does not itself evaluate the SSL/TLS security properties of any HTTPS responses. You can click the test name link (such as "Content Security Policy") next to each numeric score in the list in order to learn more about it, and the top right of the page includes a "Recommendation" box that suggests the most effective next-step you could take to improve your site.

Additionally, to clarify in case you encounter this and wonder if it's comparable to SSLLabs (it isn't):

The TLS Observatory score of ? evaluates the SSL/TLS security properties of your website against Mozilla's Server Side TLS recommendations, but does not perform 'grading' of your site on an A-F scale and instead simply indicates if your configuration complies with any level of recommendation offered.