Mozilla’s Dubbed Observatory service does not scan for code vulnerabilities, but verifies that the multiple security mechanisms available are present and properly configured.
To help webmasters better protect their websites and their users, Mozilla has developed an online scanner to verify that the security settings of their web servers are optimal. The Dubbed Observatory tool, developed by Mozilla security engineer Avril King, was initially intended for internal use. But, this one encouraged the editor to make it available everywhere in the world. The idea of offering a global analysis system was inspired by the Qualys SSL Labs SSL Server Test, a popular scanner that evaluates the SSL/TLS configuration of a website and highlights its potential weaknesses. Like the Qualys scanner, Dubbed Observatory has adopted a 0 to 100 rating system, coupled with an F to A+ rating to refine quality.
Unlike the SSL Server Test, which only verifies the use of TLS, Mozilla’s Dubbed Observatory verifies several security mechanisms in force on the web. For example, the tool looks for the presence of security flags when sending a cookie, Cross-Origin Resource Sharing (CORS) which allows any compatible browser to make cross-domain HTTP requests, Content Security Policy (CSP), a security mechanism that allows restricting the origin of content in a web page to certain authorized sites, HTTP Public Key Pinning, a security feature that tells the web client to associate a cryptographic public key with a certain web server to prevent Man In The Middle attacks with forged certificates, HTTP Strict Transport Security (HSTS), a security device by which a website can declare to browsers that they must communicate with it using exclusively the HTTPS protocol, instead of HTTP. Dubbed Observatory also checks for redirects, the integrity of sub-resources, the presence of the X-Frame-Options header which indicates whether a resource is allowed to be loaded in a frame or an iframe, that of the en -X-Content-Type-Options response header, another security feature that helps prevent attacks based on MIME type confusion, X-XSS-Protection header that helps protect users against XSS attacks, and more. The tool not only checks whether these technologies are used by the site, but also ensures that their implementation is correct. On the other hand, Dubbed Observatory does not search for flaws in the site’s code, a function already performed by a large number of free and commercial tools.
A centralized testing platform
In some ways, verifying that a website’s configuration is secure – using all available technologies developed in recent years by browser vendors – is more difficult than finding and fixing code vulnerabilities. “The characteristics of these technologies are scattered in dozens of documents, and even if we find articles on the subject, there is no repository gathering all these documents for the use of site operators that would allow them to know the usefulness of each technology, how to implement them, as well as their respective importance,” April King said in a blog post. This difficulty in finding easily exploitable resources on these website security functions has not favored their adoption, as shown by the scan carried out with the Dubbed Observatory tool. Thus, out of 1.3 million websites analyzed, only 121,984 passed the test successfully. Even some Mozilla websites failed. For example, the addons.mozilla.org site, which is nevertheless one of the most important of the publisher, comes out with a mediocre F. Since the scan, the weaknesses have been corrected and the site is now rated A+.
The presentation of test results by Dubbed Observatory is very user-friendly. They are linked to documents containing Mozilla’s security guidelines, along with descriptions and examples of implementation, making it easier for website administrators to understand the issues found during the scan and to know which they must resolve first. “Obviously, Dubbed Observatory’s results may not be entirely suitable for your site – the security needs of a site like GitHub are much more complex than those of a personal blog,” April King said. “But by encouraging adoption of these standards, including for low-risk sites, we hope to familiarize developers, system administrators and security professionals around the world with these features.” The code that serves as the basis for Dubbed Observatory is open source. API and command line tools are available for administrators who need to regularly scan a large number of websites or who want to perform their scans in-house.