Skip to content
master
Switch branches/tags
Go to file
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

security-scan

Tool for scanning websites and checking their security.

Version 2:

We will:

  • Scan top 1 million websites from Alexa, Majestic, Quantcast and Umbrella
  • Document the web security by looking at:
    • HTTPS usage (including redirects)
    • HSTS usage (including preloaded in browsers)
    • OSCP stapling usage
    • Certificate Transparency (CT)
    • Other security headers/policies
    • TLS versions
    • Session resumption availability
    • Public key encryption and signing algorithms
    • Symmetric key encryption algorithms and hash-functions
    • Key sizes and modes
    • Certificate validity
      • Is the CA trusted by mainstream browsers?
      • Valid length (3, 6, 9, 12, 15 months etc, not 40 years...)
  • Look at trends:
    • Shorter certificate lengths?
    • CA popularity?
    • Increased HTTPS and HSTS usage?
    • Increased TLS 1.3 usage?
    • Increased OSCP/CT usage?
    • Larger keys?
    • ECDH/ECDSA vs RSA vs DH/DSA?
  • Compare with other scans like:

Version 1:

This is what we did:

  • Scanned Alexa top 500 most popular websites in 9 countries of interest
  • Documented the web security by looking at:
    • HTTPS usage
    • HSTS usage
    • Encryption and signing algorithms
    • Key sizes
    • Certificate validity (naive)
  • Published a short-paper and presentation at NISK 2018.

Take a look at the Python-code and raw data.

Log

  • 11.02.19: Updated project description for v2
  • 23.01.19: Uploaded top 1 million websites from Alexa, Majestic, Quantcast and Umbrella
  • 22.01.19: All previous data is archived. Ready to start v2 of the project.
  • 19.09.18: Uploaded presentation at NISK 2018 as PDF, with LaTeX-source and pictures
  • 17.09.18: Improved documentation of code and created new issues for further improvement
  • 08.08.18: Uploaded short paper, data from previous scans and relevant resources
  • 08.08.18: Uploaded all code to scan and obtain raw data

Installation

  • Download and install Go from golang.org
  • Fork and download this repository
  • Use command line and cd to your local version of the repository
  • Type make run to run a new scan

About

Tool for scanning websites and checking their security

Topics

Resources

License

Releases

No releases published

Packages

No packages published