search

freedomofpress / securethenews

An automated scanner and web dashboard for tracking TLS deployment across news organizations
https://securethe.news
GNU Affero General Public License v3.0
100 stars 25 forks source link

Possibly wrong security rating for "The Indian Express" #148

Closed sidtechnical closed 6 years ago

sidtechnical commented 6 years ago

Secure the news entry for "The Indian Express" has Security Rating D. The only reason it received D instead of F is because it was considered to have a valid HTTPS certificate.

However, in reality it doesn't. It can be checked here directly. So, in my opinion the security rating for The Indian Express should be F.

Please have a look into that if it is genuine !

P.S: This was an accidental found. I am not sure if there are any similar mistakes in the script while rating other sites. Also, it could be possible due to historic reasons, i.e. The Indian Express used to have a valid certificate, but not any more.

vaibhavmule commented 6 years ago

Same with Time.com.

sidtechnical commented 6 years ago

Seems like it is the same issue will all the sites which got the rating D.

@vaibhavmule are we missing something? or is this a legit wrong grading?

vaibhavmule commented 6 years ago

Yes, if this is case, then it is issue with all sites

Supports HTTPS and has a valid certificate. As I have checked, it does redirect https to http (Not a good idea.) but have valid certificates

sidtechnical commented 6 years ago

Yes. That exactly was my thought. Let us wait for others to confirm the same.

vaibhavmule commented 6 years ago

This is how it checks valid https: https://github.com/dhs-ncats/pshtt/blob/86a860c3c69a71ee29969942cd74f7a29ec16ffd/pshtt/pshtt.py#L732

The grading is correct, According to grading scale. it says, HTTPS available, but downgrades to HTTP that's when D rating is given.