search

PrivateBin / Directory

Rust based directory application to collect list of federated instances
https://privatebin.info/directory/
Other
25 stars 8 forks source link

"HTTPS enforced" is flawed #21

Closed tacerus closed 3 years ago

tacerus commented 3 years ago

Hi,

this field, as specified in your "About" section, only checks if a 30x redirect exists from HTTP to HTTPS on the particular domain. This rules out a lot of other ways to enforce HTTPS. In my case, I do not even expose any HTTP sites, in fact, I have port 80 totally shut on my instance, as I have no use for it. This, technically speaking, also enforces the use of HTTPS - to the average user seeing the directory however, it is being suggested my instance was open to insecure HTTP requests, by having a "X" in the "HTTPS enforced" section.

I suggest adding an additional section "HTTP" and renaming "HTTPS enforced" to "HTTP redirect".

Cheers, Georg

elrido commented 3 years ago

I think an additional column would be too difficult to understand for casual visitors. You are right, the important bit of information is purely to show them if the instance takes some measures to protect the transport channel.

I think it makes sense to extend the logic to set the "HTTPS enforced" to true if either a) HTTP redirects to the same address on HTTPS (current logic) or b) HTTPS is the only offered protocol (as I undestand your suggestion).

tacerus commented 3 years ago

Hi, yes, you understood right. I am not sure if there is a way for you to automate it (maybe additionally probing if HTTP serves anything at all instead of only probing if it serves 30x would be easy to implement?), if not you'd probably need to manually verify it upon a request. If you want, you can have a look at the two examples I added (pasta.lysergic.dev and p.lsd25.dev), HTTP won't serve anything, and if you run a portscan, you see that port 80 is not open.

Small bonus: .dev domains have hardcoded HSTS enforced in all browsers, so even if I were to open HTTP/80, no content would arrive upon trying to access it. :-)

elrido commented 3 years ago

I've implemented the change in MR #22. @tacerus, I used one of the two instances you indicated for a unit test, to be sure we get the newly expected behaviour (both HTTPS checks passing) out of it. I'll hold off merging and publishing the change - Please do let me know, if you are comfortable with me committing that URL to the projects history. If not, I can remove it from history entirely or remove the test case going forward, so the instance isn't polled when running future unit tests.

tacerus commented 3 years ago

Thanks for the quick response to my suggestion! You are happy to use the URLs for all purposes contributing to the project.

elrido commented 3 years ago

Thank you, merged and tagged, the docker image should get built and published by docker hub automation in the next hour or so.