0xdiba
commented
8 years ago Would it make sense to implement this as part of the Mozilla evaluation worker and build on its criteria or make it a different, independent worker seems better?
Open april opened 8 years ago
0xdiba
commented
8 years ago Would it make sense to implement this as part of the Mozilla evaluation worker and build on its criteria or make it a different, independent worker seems better?
jvehent
commented
8 years ago Definitely a separate worker. The Mozilla evaluation is strict and we need it that way, but people may need a score like ssllabs provides, in addition to the evaluation.
april
commented
8 years ago A separate worker is fine. Although honestly, even in the HTTP Observatory, I just use a single evaluation worker because the evaluation is super fast compared to the time it takes for retrieval.
jvehent
commented
8 years ago It's an abuse of language. We call them workers because the initial plan was to run them separately, but in fact workers are simply Go packages that run in the scanner, not as their own processes.
april
commented
8 years ago I could really use this worker; I'm trying to put together a grading system on the HTTP Observatory site that shows all of the TLS Observatory stuff, but there's no solid grade I could put up (other than Modern/Intermediate/Old/Non-compliant), which doesn't really reflect how good they are, but instead reflect how accurately they conform to our guidelines. For example, my domain (pokeinthe.io) gets an A+ from tls.imirhil.fr and SSL Labs, but gets an N from the Observatory.
And that's very important (and I will show it), but 90% of sites simply end up as non-compliant. My current plan is to use the grade from tls.imirhil.fr, with the information from the Observatory. But it's certainly not ideal to have to pull from two sources to deliver the TLS section.
0xdiba
commented
8 years ago I have started working on it. Will probably have the basic test ready till the end of the week.
april
commented
8 years ago Thank you so much! tips her hat
april
commented
8 years ago BTW, the Mozilla Observatory currently now shows the Mozilla compliance level result from the TLS Observatory:
https://mozilla.github.io/http-observatory-website/analyze.html?host=addons.mozilla.org
Note that the letter grade is currently M, I, O, and ?. I'm hoping to show both scores on the page: this upcoming letter grade in the big box, and then the compliance level and score in the summary.
april
commented
8 years ago Hey, @0xdiba? Just checking up on how this is coming along. The Observatory is starting to show a lot of TLS Observatory information, but I'd like to get the letter grade / score thing going before I push it out to observatory.mozilla.org.
Thanks! :)
0xdiba
commented
8 years ago Hey! Sorry for the delay. I got a little off track. I'm going through some bugs. In how big a hurry are you ? :smiley: I don't think it will take long.
april
commented
8 years ago A pretty reasonable hurry, but I know you're not currently contracted or anything, so don't mess up your own life for it or anything! :)
Follow the SSL Labs Rating Guide and generate a score and grade based on their recommendations:
https://www.ssllabs.com/downloads/SSL_Server_Rating_Guide.pdf
Doesn't need to be perfect, but a simple number and grade are things that are wonderful for showing on a webpage. :)