removing large textst, to tranlate less

parent 7579d1ee
# FAQ for those on listed on failmap
## Why Failmap?
Many organizations (have to) transfer sensitive information over the internet. Sometimes they ask to share sensitive
information with them via forms, mail and etcetera. Anyone should be able to use internet services without worrying
their information is being altered or changed, whether unintentionally or malicious. Many responsible organizations
boast about their capability (so called "cyber") to protect.
Failmap adds an enormous amount of transparency. This is the driving force for many organizations to change / clean up
their online presence. With the launch of failmap, thousands of issues have been fixed in the Netherlands,
just because they have been made understandable and publicly accessible (naming and shaming).
We display the "base level" of security, which can be illustrative of the the quality and capability of organizations
in protecting your data. The base level are issues that are well documented and there are dozens of online web-services
that can discover these issues for years now. Might we find more severe vulnerabilities, we employ (and endorse)
Responsible Disclosure to address them: they will not ever be published (as that goes against our mission to increase
safety and trust).
The transparent, tendentious, and shaming approach has had a lot of impact in the Netherlands, where the tool has
become a must have for many municipalities. It's not all tendentious though: organizations strive to be "green" on the
map and they are given free reports on what was wrong, with pointers to public sources such as OWASP to help them
improve their services.
## What do the scores mean?
Failmap knows five colors:
- Green / Yellow: nothing that we scan is wrong
- Orange: there are some slicht issues, that need addressing
- Red: there are more severe compromises in the base level of security
- Gray: Unkown
## My organization is shown Red / Orange, now what?
Read the report on the bottom of the page to see what's wrong and how to fix it. When in doubt, read our scanning policy
to learn some specific quirks and features of our scanners.
An organization only needs one "high" issues to become red, as security is as strong as it's weakest link.
## Mu organization is completely green, has it won?
It's certainly an impressive feat, most of the time.
Unfortunately scanning only holds up for creating a baseline. The organization might still offer services that we
cannot (or will not) verify automatically. Such as outdated software, logic flaws and so on.
## How complete is failmap?
Failmap automatically scans the internet for subdomains of domains. This creates an enormous catalog of URL's that are
associated with organizations. However, failmap does only scan the "base level" of security and there might be many
domains of subdomains of organization we miss.
In the Netherlands, just for municipalities, we scan about 8000 endpoints daily or weekly.
We add all subdomains given to our e-mail address:
## The score is wrong / I've improved my stuff! Please rescan.
Rescanning for most issues happens daily, some weekly. See our scanning policy for more information.
If you think we're still reporting the wrong things, please use the "incorrect finding" button in the report to send
an e-mail to our service desk. Our service desk may be slow, but it might even result in software updates, policy
improvements and more.
Our goal is to accurately show the state of "base level" security: we're also not happy when things are displayed inaccurately.
## How to implement TLS correctly?
There are many tutorials online to do so. The Dutch Cert (Nationaal Cyber Security Centrum) has great general advice and
policies how to do so. Other governemental organizations (IBD for Dutch Municipalities for example) also provide fact
sheets and support.
The website Cipher List also shows a lot of config defaults for many services:
## Since when did failmap start to annoy people?
March 2016 the first beta was written in PHP in a single days, for the "in het hoofd van de hacker" conference.
## Can i run my own failmap?
Yes, the source of failmap is open and can be used non-commercially.
......@@ -24,6 +24,7 @@ Not all scans are published and a variety of scans will be implemented in the co
**Endpoint discovery**
Failmap tries to auto-discover endpoints for urls. A normal website today has about four endpoints:
- One on IPv4, port 80 that redirects to port 443. Example:
......@@ -37,6 +38,7 @@ Since it's possible to host a website on any port, failmap also scans for the ex
The existence of an endpoint in itself is not rated. This is implicit: the more endpoints, the more risk.
**HTTP Headers**
The following HTTP headers are scanned:
- HTTP Strict Transport Security
......@@ -56,6 +58,7 @@ Documented here:
Maximum severity: low / green
**Missing encryption**
Offering encryption is a must.
There are two sides to encryption: first it aims to make it impossible
......@@ -72,14 +75,17 @@ devices that don't have access to encryption.
Maximum severity: high / red
Documented here:
Maximum severity: -not published on the map yet-, probably orange or red.
**New subdomains**
Every week urls are scanned for new subdomains using various methods.
**Transport Layer Security (Qualys)**
Qualys offers the excellent tool SSL Labs, which does a very comprehensive scan of the TLS connection and the associated
trust. They have documented their scanning procedure here:
......@@ -93,6 +99,7 @@ Since failmap is completely automated, there are some special cases that could h
These are:
**No HSTS header requirement when there are only encrypted endpoints available.**
Only if there are no unencrypted endpoints available on the url, the HSTS header is not required.
Many products do not use the HSTS header as they don't provide an unsecured endpoint. Those products usually also
......@@ -116,7 +123,7 @@ Thanks to: antoinet.
From the terminology used in RFC 7034,
The use of "X-Frame-Options" allows a web page from host B to declare that its content (for example, a
button, links, text, etc.) must not be displayed in a frame (<frame> or <iframe>) of another page (e.g.,
button, links, text, etc.) must not be displayed in a frame (frame / iframe) of another page (e.g.,
from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations
as documented here.
......@@ -131,6 +138,7 @@ This also means no X-XSS-Protection or X-Content-Type-Options are needed. So jus
**Wildcard domains cause certificate mismatches**
It's impossible to automatically see what domains are / aren't used on wildcard DNS records. We often get requests
to delete results because "the url has been deleted". Those requests are processed slowly and might affect the score
presented for your organization for a while. We hear the major reason to use wildcards is to make it easier adding
# Acknowledgements
## Organizations
Special thanks to the [SIDN Fonds]( for their financial contributions.
Special thanks to the [SIDN Fonds]( for their financial and network support.
[Sentry]( for providing their awesome interface.
[Sentry]( for providing their awesome debugging interface.
This project is being maintained by the [Internet Cleanup Foundation](
## Volunteers
Thanks to the following volunteers:
- Elger Jonker (Stitch)
- Johan Bloemberg (Aequitas)
- Eelko Neven (suresync)
- Twan (craftdax)
- knicklighter
- Mozart Failenschmidt
Last but not least:
- Elger Jonker (Stitch)
## Tech, Open Source
Failmap depends on tons of services and open source projects.
* Polygons, map data: [Openstreetmap](,
[QGIS](, [MapBox](, osmtogeojson (+node)
* TLS Ratings: [Qualys SSL labs](
* DNS exploration: [DNS Recon](,
* Styling: [Twitter Bootstrap]( \+ creativity
* Graphs: [D3js](
* Website frontend: [Vue.js](, [Leaflet](https:/, [JQuery](
* Website backend: [Django](, [Django Jet](,
[Django countries](,
[Django jsonfield](,
[pyyaml (testdata)](,
[dnspython](, [netaddr](,
[httmock](, [freezegun](,
* Coding quality: [autopep8](,
* Database: [MariaDB](, [sqlite](
* Tasks and task management: [Celery](,
* Monitoring: [Flower](, [Graphana](
* Server: [Docker](,
[Virtual Box](
* Development: [Gitlab](
\ No newline at end of file
......@@ -758,7 +758,6 @@
<br style="clear: both">
{% include "map/faq.html" %}
<div id="lastrow">
<div class="row">
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment