-
Notifications
You must be signed in to change notification settings - Fork 10
Result Documentation
Describes the state of the HTTPS implementation on the server and any issues therein
Reference:
* "Valid HTTPS" -- HTTPS implementation is complete
* "Downgrades HTTPS" -- Susceptible to the downgrading of secure HTTPS connections to HTTP
* "Bad Chain" -- HTTPS endpoint contains problematic certificate chain
* "Bad Hostname" -- HTTPS endpoint fails hostname validation
Describes the degree to which HTTPS is enforced on the server based on behaviour
Reference:
* "Strict" -- Defaults to HTTPS or immediately redirects HTTP to HTTPS
* "Moderate" -- HTTPS is present, but not in use by default. HTTP eventually redirects to HTTPS
* "Weak" -- HTTPS is present, but not in use by default. HTTP does NOT redirect to HTTPS
* "Not Enforced" -- Downgrades HTTPS and/or HTTPS endpoint fails hostname validation
Describes the presence and completeness of HSTS implementation
Reference:
* "HSTS Fully Implemented" -- HSTS in use and max-age is at least one year in length
* "HSTS Max Age Too Short" -- HSTS in use but max-age is less than one year in length
* "No HSTS" -- HSTS not implemented and/or non-existent max-age value
HSTS "max-age" directive value (in seconds). Denotes how long the domain should only be accessed using HTTPS
Denotes whether the domain has been submitted and included within HSTS preload list
Reference:
* "HSTS Preloaded" -- Domain is included within HSTS preload list
* "HSTS Preload Ready" -- Domain is not included within HSTS preload list but is ready to be submitted to HSTS preload list
* "HSTS Not Preloaded" -- Domain is not included within HSTS preload list and is not ready for submission
Denotes whether HTTPS certificate in use is still valid
Denotes whether HTTPS certificate in use has been self-signed
Denotes support for SSL 2.0
Denotes support for SSL 3.0
Denotes support for TLS 1.0
Denotes support for TLS 1.1
Denotes support for TLS 1.2
Denotes support for TLS 1.3
Indicates whether any ciphers currently in use by the server utilize the RC4 stream cipher
Indicates whether any ciphers currently in use by the server utilize the 3DES block cipher
List of ciphers in use by the server deemed to be "strong". These are ECDHE suites utilizing either GCM or CHACHA20
List of ciphers in use by the server deemed to be "acceptable". These suites make use of ECDHE or DHE, but do not utilize GCM or CHACHA20
List of ciphers in use by the server deemed to be "weak" or in other words, are not compliant with security standards. These suites do not make use of ECDHE or DHE and may utilize insecure ciphers such as RC4 or 3DES
Certificate signed using either SHA256, SHA384 or AEAD
Signature algorithm used to sign Certificate
Denotes vulnerability to "Heartbleed" exploit
Denotes vulnerability to OpenSSL CCS Injection
Sender Policy Framework (SPF) record for domain
Denotes the validity of the domain's SPF record
DNS lookups involved in analyzing domain's SPF record. More than 10 DNS lookups results in an invalid SPF record.
List of domains parsed for SPF record analysis, grouped by evaluated results (Pass/Neutral/Softfail/Fail)
List of domains for which it can be confidently stated that the host identity is used legitimately
Equivalent to "none". No definitive statement can be made concerning the use of the host identity
Identity should be scrutinized thoroughly. It is strongly suspected that the host is not authorized.
Host is not authorized.
List of included SPF records and associated domains. These count toward the DNS lookup limit.
Specifies a domain to redirect toward. This SPF record will be parsed. This counts toward the DNS lookup limit.
Explanation (Optional)
Describes how to handle emails that do not match specified mechanisms
List of hosts responsible for the receival of email on behalf of the domain
Numerical value indicating the preference of the host. The lowest value represents the most preferred host.
Hostname associated with the MX record
Address(es) associated with the MX record
Denotes host's support for tls
Denotes host's support for starttls
Any warnings generated while evaluating the MX (Mail Exchanger) record.
Domain-based Message Authentication, Reporting and Conformance (DMARC) record for domain
Denotes the validity of the domain's DMARC record
Base domain corresponding to the DMARC record
Any warnings generated while evaluating the DMARC record.
List of tags from the domain's DMARC record and corresponding values/info
Indicates that the domain is configured for testing DKIM
DomainKeys Identified Email (DKIM) TXT record for domain
Value of the Public Key within the DKIM TXT record
Size of the Public Key in bits
Type of Public Key in use (e.g. RSA)
Result of performing modular division upon the Public Key
Exponent derived from performing modular division upon the Public Key
This project was built by the Treasury Board of Canada Secretariat in collaboration with the Canadian Centre for Cyber Security.