search

andersju / webbkoll

An online tool that checks how a website is doing with regards to privacy
MIT License
266 stars 28 forks source link

Testing an HTTPS-only website #23

Closed skovmand closed 4 years ago

skovmand commented 4 years ago

Hi and thank you for your work on this project! I am trying out the tool to check several of our websites at work, and it gives several insights that Mozilla Observatory doesn't.

I have an HTTPS-only website (not listening on port 80 at all) which I would like to test. However, webbkoll doesn't let me connect to it at all because it attempts to connect over plain http first, and that request will obviously fail.

Is there some way to make that work?

andersju commented 4 years ago

We do have a simple workaround for HTTPS-only sites: Webbkoll first does a HEAD request to http://yourdomain. If it fails due to connection refused or connection timeout, it'll use https://yourdomain instead. I just tried this on a HTTPS-only site, and it worked. But maybe something else is happening. Do you have a URL I could try that you can share here (or by email: anders@unix.se)?

skovmand commented 4 years ago

Thanks for such a swift reply. I have just retried and it doesn't work for me. The url to the website is https://angel.wisehome.dk

andersju commented 4 years ago

The problem here is that angel.wisehome.dk is listening on port 80:

~ telnet angel.wisehome.dk 80
Trying 88.99.29.170...
Connected to angel.wisehome.dk.
Escape character is '^]'

So it passes the crude "is port 80 accessible" test. If you take care of that (either fiddle with the config of whatever is listening on port 80, or add a firewall rule), it should work.

skovmand commented 4 years ago

Ah. Unfortunately I can't firewall port 80 since it is needed for tls renewal. Is there some other workaround?

skovmand commented 4 years ago

When testing the url on Mozilla Observatory, the result page states for HTTP->HTTPS redirection:

"Not able to connect via HTTP, so no redirection necessary"

... which is correct.

andersju commented 4 years ago

That's reasonable. I changed it so that Webbkoll interprets "connection closed" (no data sent at all from the server) as "not available over http://". Pushed the fix to https://webbkoll.dataskydd.net/ -- thanks for reporting! :)

skovmand commented 4 years ago

Very nice, I have just confirmed that the url can be tested now. Thank you for the fast response! I think webkoll is very nice and informative, and it is very nice that the GDPR is referenced in the side boxes.