Always on SSL from Ben Wilson on 2015-02-10 (public-webappsec@w3.org from February 2015)

From: Ben Wilson <ben.wilson@digicert.com>
Date: Tue, 10 Feb 2015 19:21:03 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: "Craig Spiezle (craigs@otalliance.org)" <craigs@otalliance.org>
Message-ID: <17e819446c96466ab23180a4636a148d@EX2.corp.digicert.com>

All,



Craig Spiezle of the Online Trust Alliance (OTA) is starting to formulate the website security criteria (HSTS, etc.) for OTA's 2015 Honor Roll survey.  The types of sites reviewed (800 high-traffic sites - Financial 100, eCommerce 200, etc.) are listed  at https://otalliance.org/HonorRoll.  OTA's Honor Roll approach is not to "shame" anyone, but to give "honor roll" recognition to the bright stars.



He was wondering if anyone is aware of an automated way to query sites to determine how well they have implemented https, HSTS, etc.  (beyond the type of data provided by SSL Labs/Qualys's server reports).



For instance, last year the people working on the Honor Roll study would try to visit a site using http and see whether they ended up with https.  Obviously there are other more in-depth scans that could be done on web pages, but he is looking for an efficient way to gather some useful report card metrics.  Any suggestions will be appreciated.



Thanks,



Ben

Received on Tuesday, 10 February 2015 19:21:33 UTC