Not logged in » Login
Aug 30 2016

Mozilla Builds Observatory for Web Security

Did you know that HTTPS is only implemented on 40% of all popular websites? And that other security technologies fare even worse? These are the results you get when running Observatory by Mozilla, a new online tool and service launched by the makers of the Firefox browser.

Building secure websites and web services has often been characterized as a science unto itself. So it's not much of a surprise to find that relevant mechanisms are often poorly implemented – or that webmasters and server admins skip over them and hope the gaps won't be detected. Countless hacks we've witnessed over the past 20 years are testament to this situation. However, it remains doubtful whether anyone would have guessed that the situation is quite as bad as described by April King, a Senior Information Security Engineer currently working for the Mozilla Corporation: according to her blog A Real Poke in the Eye, recent findings suggest that nine out of ten popular websites fail to "take advantage of modern security advances." In other words, they expose users, data and infrastructures to substantial risks, and the adoption rate of web services might fall drastically if information about such 'calculated risks' were to become popular.

King arrived at her results when she and her colleagues used Observatory by Mozilla, a new online tool and test suite developed by the Firefox creators, to scan a total of 1.335 million websites. Of these, a mere 122,000 passed the test – the rest failed, sometimes miserably. The tool was mainly written by King after she signed up with Mozilla about a year ago, and was originally intended to prove just how safe the corporation's own sites and services were. But as it turned out, these initial tests painted quite a different picture: ironically, Mozilla – an organization that takes great pride in advancing matters like security and privacy on the web – "didn't do a better job of keeping up with modern website security practices than any other company or group" King had previously worked for. Unfortunately, this even applied to subsites like or, which play a central role in the browser maker's ecosystem and have since undergone some much-needed refreshes.

Conceptually, Observatory borrows a bit from SSL Server Test and SSL Pulse, a test tool and related info service developed by Californian security outfit Qualys Inc. to check on – you guessed it – implementations of TLS and SSL, the web's most popular cryptographic protocols. Like the former, Observatory provides a simple, Google-like interface where users can enter the names of sites or domains they want to scan, preferably those that they own themselves. They may then determine whether the results should be made public or not, whether they want to force a rescan instead of accepting cached results from the past 24 hours, and whether Observatory might use third-party scanners. Next they click the "Scan Me" button – and then wait for two or three minutes at most to obtain the results. The security ratings follow typical U.S. grading habits, with "A+" indicating the best and "E" or "F" denoting the worst results; moreover, they give a detailed overview of achievements and mishaps. Not surprisingly, some of the biggest names around, among them leading hard- and software vendors and social/professional networks, receive average grades at best. However, there's one small caveat: while the test results are generally instructive, they may not convey too much information regarding "public" sites, i.e. customer-facing home pages and portals that deliberately avoid using 'complicated' security mechanisms in exchange for higher visibility. So as always, the best way to find out if Observatory is of any use for you and your customers is to run a test yourself.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now