W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Always on SSL

From: Ben Wilson <ben.wilson@digicert.com>
Date: Tue, 10 Feb 2015 19:21:03 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
CC: "Craig Spiezle (craigs@otalliance.org)" <craigs@otalliance.org>
Message-ID: <17e819446c96466ab23180a4636a148d@EX2.corp.digicert.com>
All,



Craig Spiezle of the Online Trust Alliance (OTA) is starting to formulate the website security criteria (HSTS, etc.) for OTA's 2015 Honor Roll survey.  The types of sites reviewed (800 high-traffic sites - Financial 100, eCommerce 200, etc.) are listed  at https://otalliance.org/HonorRoll.  OTA's Honor Roll approach is not to "shame" anyone, but to give "honor roll" recognition to the bright stars.



He was wondering if anyone is aware of an automated way to query sites to determine how well they have implemented https, HSTS, etc.  (beyond the type of data provided by SSL Labs/Qualys's server reports).



For instance, last year the people working on the Honor Roll study would try to visit a site using http and see whether they ended up with https.  Obviously there are other more in-depth scans that could be done on web pages, but he is looking for an efficient way to gather some useful report card metrics.  Any suggestions will be appreciated.



Thanks,



Ben
Received on Tuesday, 10 February 2015 19:21:33 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC