Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistency on HSTS detection between the docker, the repo and the website #59

Open
RomainPlt opened this issue Jan 12, 2023 · 4 comments
Open

Inconsistency on HSTS detection between the docker, the repo and the website #59

RomainPlt opened this issue Jan 12, 2023 · 4 comments

Comments

@RomainPlt
Copy link

Hello,

I find inconsistencies while using cryptcheck, depending on if you're using it from this repo, from the docker or on the website.

When I try for example the french secret services website at dgse.gouv.fr I get :

  • "A+" on the website
  • "E" on the docker
  • "E" and no HSTS by using this repo

The docker is almost always giving very bad reviews while the site seems pretty accurate.
Furthemore I think by using the repo's app we can't detect HSTS and thus ends up with poor grades for every sites.

Is there something going on with the parameters or something else I didn't see ?

Any help is appreciated ! Thank you !
@aeris
Copy link
Owner

aeris commented Jan 12, 2023

Hello here!

I guess your A+ rating is on the v1 https://tls.imirhil.fr. This repo is now only v2 and hosted on https://cryptcheck.fr. v1 is still up only for Mozilla Observatory compatibility.

I got the same E scoring on docker and v2, and HSTS is correctly not detected because STS header not seen on a GET or HEAD request on http://dgse.gouv.fr (we got a 302 redirect without headers at all).

@RomainPlt
Copy link
Author

Hello again !

Thanks for pointing out cryptcheck.fr. I still find problems in the HSTS detection, it's always there when using this repo code, while on cryptcheck.fr it's not.

An example with the nsa.gov website, getting "A+" on cryptcheck.fr and "E" on the repo for no HSTS detection.
(Apparently the dgse has something to work out here, sorry for the bad example).

Thank you very much !

@aeris
Copy link
Owner

aeris commented Jan 16, 2023

I don't understand, currently https://cryptcheck.fr/https/nsa.gov display HSTS and docker too

docker run --rm -it aeris22/cryptcheck https nsa.gov -jq
…
:grade => :"A+

(And I discover it is incorrectly reported in both case, I must HSTS check on http:// and not on https:// 😅 . And currently nsa.gov suffer from the same trouble than dgse.gouv.fr, HSTS header not present on HEAD http://)

@RomainPlt
Copy link
Author

Okay my bad, the docker seems to give the same answers as cryptcheck.fr indeed.

I was concerned about the bin/cryptcheck from the repo. When I do "./cryptcheck https nsa.gov" I get "E" for no HSTS.
Is this supposed to be that way ? Am i doing things wrong ?

(And I discover it is incorrectly reported in both case, I must HSTS check on http:// and not on https:// sweat_smile . And currently nsa.gov suffer from the same trouble than dgse.gouv.fr, HSTS header not present on HEAD http://)
--> Does that mean it is normal for the NSA to get an "E" ?
Another example is the cnil.fr website, getting "A+" on cryptcheck.fr and on the docker, meanwhile it's getting "E" on /bin/cryptcheck.

Thanks ! :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aeris @RomainPlt