
H2scan: scan a list of sites to see which support HTTPS, SPDY/3.1 and HTTP/2 - jgrahamc
https://github.com/jgrahamc/h2scan/blob/master/README.md
======
Hovertruck
If you use Chrome, there's a plugin[1] you can install that displays this info
in the URL bar for each page you visit

[1] [https://chrome.google.com/webstore/detail/http2-and-spdy-
ind...](https://chrome.google.com/webstore/detail/http2-and-spdy-
indicator/mpbpobfflnpcgagjijhmgnchggcjblin?hl=en)

~~~
Rondom
Firefox: [https://addons.mozilla.org/en-US/firefox/addon/spdy-
indicato...](https://addons.mozilla.org/en-US/firefox/addon/spdy-indicator/)

------
hawski
I was reading about WebCrypto API lately and read negative view about it [1].
What I understand is that with HTTPS one of the problems is having private key
online. In case of break-in someone can just modify served files and now
forged files are served. It would be good to have static files signed with
separate signing key just for static content. Then private key can be offline
and forgery can be easily detected.

Is there something like that in case of offline web apps?

[1] [http://tonyarcieri.com/whats-wrong-with-
webcrypto](http://tonyarcieri.com/whats-wrong-with-webcrypto)

~~~
nicois
That would just make it easier for a MITM (and maybe others) to spoof all your
static content with legitimate signatures.

~~~
hawski
No because your signature should be signed by key registred at CA. It would be
second level certificate for your domain. And you would still serve your files
via HTTPS. So that would give you second line of defense.

