Closed obrien-j closed 6 years ago
The "No" for HTTPs doesn't mean it does not have it, just means it does not enforce it. I noticed and asked a similar question of Eric a few weeks back before I realized it.
Hrmm... and so it is. Makes sense I guess. I'll mark this as closed since it's operating as designed. We may want to revisit this from an additional measurement criteria.
Pulse used to have two columns, for Uses HTTPS
and Enforces HTTPS
. Eventually, it became clear to me that measuring only whether a service is using-but-not-enforcing HTTPS isn't very useful as an intermediate state. HTTPS can't be guaranteed to be there in a meaningful way unless it's enforced. Showing it can give implementers a false sense of meaningful progress in rolling HTTPS support out to a web service.
Might be a flaw in domain-scan and/or parsing algs. Noting for followup