Skip to content
This repository has been archived by the owner on Jan 6, 2022. It is now read-only.

Consider tracking HSTS as top-level metric #224

Open
eloquence opened this issue Mar 9, 2020 · 2 comments
Open

Consider tracking HSTS as top-level metric #224

eloquence opened this issue Mar 9, 2020 · 2 comments
Labels
enhancement

Comments

@eloquence
Copy link
Member

(Thanks to @nondescriptuser for the suggestion.)

We currently track the following top-level metrics:

98% - of news sites offer HTTPS
95% - default to to HTTPS

Given the high adoption of HTTPS in the Global North, we should consider tracking HSTS adoption as its own top-level metric, potentially replacing the "default to HTTPS" metric.
@eloquence
Copy link
Member Author

@redshiftzero This may be something the web team will have bandwidth to work on in the near-term, any thoughts from your end on how useful this would be, and how it should be presented in the results?

@nondescriptuser
Copy link

The website now tracks the following:

97% - Of news sites offer HTTPS
95% - default to HTTPS
5% - Of news sites offer onion services
135 - total news sites

If it were still possible to insert a metric for HSTS adoption in there, in the middle, that would be much appreciated.

Granted, would having HSTS adoption, in and of itself, be the item to track, or would it be 'HSTS adoption with a min max age'? I would lean towards the former, as the latter could be a mouthful. It could also be challenging to include short of defining what is a 'min max age.' A max age of at least 18 weeks? Yet, specifying in a top-level metric as 'HSTS with a max-age >= 18 weeks' could be wordy.

Also to note: At the time that the suggestion was made, sites that had HTTPS by default would receive a grade of 'B' (70). Those sites that had HTTPS by default, along with HSTS, would have, at a minimum, a 'B+' (75). This was on account of the grading methodology having yielded at least a +5 for offering HSTS. Now, however, the boost is a +4. In this way, those sites that do offer HSTS are sites that get the same grade as those without. (Sites with HSTS do get listed above those sites with just HTTPS by default, but the grades are the same.)

Would it be possible to adjust this somehow such that HSTS would confer a higher grade? Perhaps sites with HTTPS by default could start at a grade of 68 (C+), and then if they get at least a +4 or +5 for HSTS, this would push them up to a B. Alternatively, would it be possible to set sites that receive a 70 to receive a B-, while sites that get a 74 could obtain a B?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eloquence @nondescriptuser