Open RomainPlt opened 1 year ago
aeris
commented
1 year ago Hello here!
I guess your A+ rating is on the v1 https://tls.imirhil.fr. This repo is now only v2 and hosted on https://cryptcheck.fr. v1 is still up only for Mozilla Observatory compatibility.
I got the same E scoring on docker and v2, and HSTS is correctly not detected because STS header not seen on a GET or HEAD request on http://dgse.gouv.fr (we got a 302 redirect without headers at all).
RomainPlt
commented
1 year ago Hello again !
Thanks for pointing out cryptcheck.fr. I still find problems in the HSTS detection, it's always there when using this repo code, while on cryptcheck.fr it's not.
An example with the nsa.gov website, getting "A+" on cryptcheck.fr and "E" on the repo for no HSTS detection. (Apparently the dgse has something to work out here, sorry for the bad example).
Thank you very much !
aeris
commented
1 year ago I don't understand, currently https://cryptcheck.fr/https/nsa.gov display HSTS and docker too
docker run --rm -it aeris22/cryptcheck https nsa.gov -jq
…
:grade => :"A+(And I discover it is incorrectly reported in both case, I must HSTS check on http:// and not on https:// :sweat_smile: . And currently nsa.gov suffer from the same trouble than dgse.gouv.fr, HSTS header not present on HEAD http://)
RomainPlt
commented
1 year ago Okay my bad, the docker seems to give the same answers as cryptcheck.fr indeed.
I was concerned about the bin/cryptcheck from the repo. When I do "./cryptcheck https nsa.gov" I get "E" for no HSTS. Is this supposed to be that way ? Am i doing things wrong ?
(And I discover it is incorrectly reported in both case, I must HSTS check on http:// and not on https:// sweat_smile . And currently nsa.gov suffer from the same trouble than dgse.gouv.fr, HSTS header not present on HEAD http://)
--> Does that mean it is normal for the NSA to get an "E" ?
Another example is the cnil.fr website, getting "A+" on cryptcheck.fr and on the docker, meanwhile it's getting "E" on /bin/cryptcheck.
Thanks ! :)
Hello,
I find inconsistencies while using cryptcheck, depending on if you're using it from this repo, from the docker or on the website.
When I try for example the french secret services website at dgse.gouv.fr I get :
The docker is almost always giving very bad reviews while the site seems pretty accurate. Furthemore I think by using the repo's app we can't detect HSTS and thus ends up with poor grades for every sites.
Is there something going on with the parameters or something else I didn't see ?
Any help is appreciated ! Thank you !