Invalid scan results (no http/hsts, but values on rc4/3des column)

cds-snc / pulse

Archived: [Project has been split out into two components, @ https://github.com/cds-snc/tracker and https://github.com/cds-snc/track-web ] Check whether a Government of Canada domain is adhering to best security practices.

Other

6 stars 1 forks source link

Invalid scan results (no http/hsts, but values on rc4/3des column) #66

Closed obrien-j closed 6 years ago

obrien-j commented 6 years ago

Might be a flaw in domain-scan and/or parsing algs. Noting for followup

buckley-w-david commented 6 years ago

The "No" for HTTPs doesn't mean it does not have it, just means it does not enforce it. I noticed and asked a similar question of Eric a few weeks back before I realized it.

obrien-j commented 6 years ago

Hrmm... and so it is. Makes sense I guess. I'll mark this as closed since it's operating as designed. We may want to revisit this from an additional measurement criteria.

konklone commented 6 years ago

Pulse used to have two columns, for Uses HTTPS and Enforces HTTPS. Eventually, it became clear to me that measuring only whether a service is using-but-not-enforcing HTTPS isn't very useful as an intermediate state. HTTPS can't be guaranteed to be there in a meaningful way unless it's enforced. Showing it can give implementers a false sense of meaningful progress in rolling HTTPS support out to a web service.