Security of speed tests

TL;DR

All speed tests we have tested so far are safe to use, however of the well known speed tests Fast, M-Lab, Cloudflare and Xfinity are relative the most secure while the Ookla Speedtest seems to be the least secure.

Security

A lot of internet users trust almost every website they visit. That's fine, because more often than not, when a website could not be trusted, you get an alert form Google Safe Browsing or a similar service.

We have never had an alert that a speed test wasn't safe to visit. However with the Cyber Resilience Act in mind, we tried to test the security of speed tests.

Because we aren't ethical hackers we only want to test the speed tests with vulnerability scans, instead of pentests.

We have performed the following vulnerability scans:

  1. Security Headers of speed tests
  2. Pentest tools analysis of speed tests
  3. Observatory scan of speed tests
  4. UpGuard Security Rating for speed tests
  5. Immuniweb website security test of speed tests

Most of these vulnerability scans use the labels A, B, C, D, E and F. Only the Website Vulnerability Scanner of Pentest tools use a different system (low, medium and high risk).

Regarding security we think it is better to be safe than sorry, hence we consider the lowest security level detected as a realistic security level. To compare the vulnerabilities, and because we want to use a standarized scale from 0 to 100 where 100 is best, we apply the following translations:

  1. Label A becomes: 100
  2. Label B becomes: 90
  3. Label C becomes: 60
  4. Label D becomes: 50
  5. Label E becomes: 20
  6. Label F becomes: 10
  7. Low risk becomes: 100
  8. Medium risk becomes: 60
  9. High risk becomes: 10
  10. The UpGuard score is divided by 9.5
  11. The Observatory score is used instead of the label

Based on the tests above we got the following list, where we mention the lowest standarized score:

  1. Astound speedtest 10
  2. Bandwidth Place 10
  3. Bredbandskollen 10
  4. Broadband Speed Checker 0
  5. Cloudflare 47
  6. Comparitech 10
  7. DSLReports 0
  8. Fast 50
  9. Fireprobe 0
  10. Google Fiber 20
  11. Internet Speed at a Glance 80
  12. LibreSpeed 10
  13. M-Lab 50
  14. Meter.net 44
  15. N Perf 0
  16. Ookla Speedtest 0
  17. Open Speed Test 10
  18. SamKnows 5
  19. SpeedCheck 0
  20. SpeedOf.me 15
  21. SpeedOf.me API Sample Page 15
  22. SpeedSmart 5
  23. Speedtest4.PHP 10
  24. TestMy.net 20
  25. Toast 30
  26. Which Broadband Speed Test 50
  27. Xfinity xFi Speed Test 45

As mentioned earlier, none of these speed tests triggered a Safe Browser warning. However it seems that some speed tests are probably more secure than others.

The most secure speed tests seems to be: Internet Speed at a Glance, Fast, M-Lab, Which Broadband Speed Test, Cloudflare, Xfinity xFi Speed Test and Meter.net.

The following speed tests have a score of 0: Broadband Speed Checker, DSLReports, Fireprobe, N Perf, Ookla Speedtest and SpeedCheck.

Probably all speed tests are safe to use, however of the well known speed tests Fast, M-Lab, Cloudflare and Xfinity are relative the most secure while the Ookla speed test seems to be the least secure.