Internet.nl Score of news.ycombinator.com: No IPv6, DNSSEC, TLS1.3, RPKI ROA
internet.nlThe news.ycombinator.com setup isn't really modern:
- no IPv6 address for the webserver
- no DNSSEC
- no RPKI ROA for webserver BGP routes
- use of TLS 1.0 and no TLS 1.3
- use of insecure* ciphers
- CSP with 'unsafe-inline' in script-src
When I see TLS 1.0 and no TLS 1.3, I assume there is a bit of legacy openssl or at least the configuration of it. Probably wise to update the config since modern browsers don't support TLS 1.0.
* based on NCSC-NL: https://english.ncsc.nl/publications/publications/2021/janua...
Github.com receives a slightly better score [1]. I'm surprised we still consider DNSSEC to be a measurable factor in a sites security ranking. How long until that test is removed? We don't test for HPKP Public Key Pinning any more as adoption halted and many people removed it due to complexity traps that could cause outages. DNSSEC has been experiencing the same problems [2] making businesses hesitant to use it [3]. Ycombinator still gets an "A" for security headers [4]. At times HN gets pointed to AWS's CDN so that is perhaps a way to address the IPv6 short term until IPv6 addresses were added to HN's servers.
I can envision fintech eventually being regulated into adopting DNSSEC. For everyone else it would probably require better tooling and fail-safes.
[1] - https://internet.nl/site/github.com/2231928/
[2] - https://ianix.com/pub/dnssec-outages.html
[3] - https://blog.apnic.net/2021/11/26/adoption-of-dns-security-m...
[4] - https://securityheaders.com/?q=https%3A%2F%2Fnews.ycombinato...
>modern browsers don't support TLS 1.0.
Out of curiosity, did you need to use a non-modern browser to create this thread and post on it?