Moz Observatory is just gamification. It's wasted time to setup a redirect from http to https of an API endpoint to which you never want to connect insecurely. In worst case you connect via http by mistake and don't notice then. We have elephants in the room: * Enable DNS tampering protection: bug 1629834 (https://dnsviz.net/d/mozilla.org/dnssec/ is properly secured while https://dnsviz.net/d/api.profiler.firefox.com/dnssec/ is not) * Be accessible via IP (and not only via legacy IP): https://bugzilla.mozilla.org/buglist.cgi?quicksearch=%5Bipv6%5D&list_id=15267901 * Please disable TLS 1.0 and 1.1: bug 1638023. https://www.hardenize.com/report/api.profiler.firefox.com/1590584418#www_tls For TLS 1.2, only allow ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256 and Chacha. ECDHE-RSA-AES128-GCM-SHA256 is supported since bug 934663 comment 14 (Firefox 27+ from 2013).
Bug 1638041 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(I'm just a contributing Nighly user.) Moz Observatory is just gamification. It's wasted time to setup a redirect from http to https of an API endpoint to which you never want to connect insecurely. In worst case you connect via http by mistake and don't notice then. We have elephants in the room: * Enable DNS tampering protection: bug 1629834 (https://dnsviz.net/d/mozilla.org/dnssec/ is properly secured while https://dnsviz.net/d/api.profiler.firefox.com/dnssec/ is not) * Be accessible via IP (and not only via legacy IP): https://bugzilla.mozilla.org/buglist.cgi?quicksearch=%5Bipv6%5D&list_id=15267901 * Please disable TLS 1.0 and 1.1: bug 1638023. https://www.hardenize.com/report/api.profiler.firefox.com/1590584418#www_tls For TLS 1.2, only allow ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256 and Chacha. ECDHE-RSA-AES128-GCM-SHA256 is supported since bug 934663 comment 14 (Firefox 27+ from 2013).