pshtt
pshtt copied to clipboard
cisagov
Scan domains and return data based on HTTPS best practices
I mentioned some of the set up to this problem in the TTS #https-partner-support Slack channel, but the long and the short of the issue is that in https://github.com/dhs-ncats/pshtt/blob/00ff246f40acbea185d478d838c7fcd6652b9aa8/pshtt/pshtt.py#L80 the...
The way is_redirect is currently written, a domain will get flagged as a redirect if all endpoints are down or otherwise code 400-ing. For example, imagine domain.tld, which only has...
We heard from NASA that in the situation where the HTTP endpoints are off, but the HTTPS endpoints have cert errors, the "canonical URL" is the HTTP version, which is...
Not necessarily for relaxing compliance standards around using server-side 80->443 redirects, but just to detect a broader swathe of agency behavior. For example, segurosocial.gov seems to redirect to socialsecurity.gov, but...
The tool shouldn't affirmatively return a canonical URL if all 4 endpoints are down.
At least in a naïve fashion, flagging likely incomplete chains from untrusted roots should be feasible by counting the number of certificates returned in "Certificate Chain Received" from `sslyze`. `requests`...
We need unit tests to measure behavior, to prevent regressions and to catch issues early. Testing against live endpoints is not recommended, and testing against a localhost HTTP server is...
The first question to be asked when HTTPS {Bad Chain, Bad Hostname, Expired Cert} is TRUE will be "What's the value that the scanner saw?" `pshtt` CSV/JSON outputs should include...
Some issues we've seen in Pulse that might merit logical changes or tweaks: - [ ] https://github.com/18F/pulse/issues/288 (Sep 4, 2015, may not be an issue) - [ ] https://github.com/18F/pulse/issues/211 (Jun...
Ideally, there would already be a good tested Python library for doing this. For reference, here's the parser I wrote in Ruby (with careful attention to the HSTS RFC): https://github.com/benbalter/site-inspector/blob/erics-mode/lib/site-inspector.rb#L28-L84...