From 575f7a34970f92c99e59b5a73ebcb7288221a8e3 Mon Sep 17 00:00:00 2001 From: Benjamin Peterson Date: Sat, 16 Apr 2016 13:36:49 -0700 Subject: [PATCH] add paragraph about HSTS rating stolen from SecureUtah (#63) --- templates/about.html.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/about.html.jinja b/templates/about.html.jinja index 342bd9f..9416762 100644 --- a/templates/about.html.jinja +++ b/templates/about.html.jinja @@ -7,6 +7,7 @@

Ratings

HTTPSWatch assigns every tracked site a rating approximating the quality of its HTTPS support. If a verified TLS connection cannot be established or no page can be loaded over TLS, the site is given the Bad rating. The Mediocre rating means a TLS connection can be established but there are quality issues with the site’s implementation of HTTPS (e.g. the HTTP site doesn’t redirect to HTTPS or the Strict-Transport-Security header isn’t set). If everything looks good, a Good rating is given. +

Many of the sites that receive a Mediocre rating are only missing the HTTP Strict-Transport-Security header and have otherwise good HTTPS. The HSTS header is a vital component of helping visitors reach a website securely. Without HSTS, it is still possible for an attacker to intercept web traffic and prevent users from connecting over HTTPS. Thus, websites will not be rated Good unless they include HSTS.

Limitations

Some sites which HTTPSWatch rates as Mediocre are actually unusable in a browser. This is mostly due to mixed content, which HTTPSWatch doesn’t always detect.