Open bwbroersma opened 2 years ago
Thanks for the detailed report!
My two cents:
If a referring page makes a typo in a URL (any typo... but in this case 'http' where it should have been 'https'), then that would be their problem, right?
Also, I'm not sure what could be improved in the test-verdict.
https://en.internet.nl/site/geocontent.rvo.nl/1384989/#control-panel-8
It states quite clearly:
"Your web server only offers support for HTTPS and not for HTTP."
Why wouldn't that qualify for a green tick?
Since there is a tendency of moving to making HTTPS the default, we may not be 'shooting ourselves in the foot' on the longer term?
However, if you feel we can do better, perhaps by choosing different wording here and there, please let us know!
This typo or autocorrect in some CMS where you just input the url without http:// and it will add that for you will look like it works for the user editing the CMS, since it will have the HSTS user cache, while the link won't work for other users. | HTTP Redirect | HSTS | HSTS preload | Visiting http:// | End result consistent |
---|---|---|---|---|---|
❌ | ❌ | ❌ | ❌ won't work | ✔ | |
✔ | ✔ | ❌ | ✔ if HSTS in user cache, otherwise redirects | ✔ | |
❌ | ✔ | ✔ | ✔ HSTS preload connects without HSTS user cache | ✔ | |
❌ | ✔ | ❌ | ⚠ if HSTS in user cache, otherwise fails | ❌ |
I think internet.nl should warn users for the last config case. I'm fine with not having http, but in combination with some HSTS config it can lead to shooting yourself in the foot sooner or later. It's a recipe config for dead links.
Dear Benjamin,
What about greying out the icon for the 'HTTPS redirect' verdict?
Something similar to what we do here: https://internet.nl/mail/example.nl/609451/#control-panel-2 ?
Hey Marco,
It should be a :warning: warning, it's really shooting oneself in the foot. Recently I read on some internal ticketing systems some have chosen to disable port 80 (easier than redirecting properly?) to be their default policy, and of course the HSTS setup is mandatory. So picking the :warning: option by default, but they still see a :heavy_check_mark: on internet.nl.
Of course https default would solve this issue.
The current state is: Browser | HTTPS default | Notes / Settings |
---|---|---|
Apple Safari | :heavy_check_mark: | HTTPS Upgrade is default since Safari 15 |
Google Chrome | :x: | chrome://flags/#https-only-mode-setting Always use secure connections |
Microsoft Edge | :x: | edge://flags/#edge-automatic-https edge://settings/privacy Automatically switch to more secure connections with Automatic HTTPS |
Mozilla Firefox | :x: | about:preferences#privacy HTTPS-Only Mode |
Case is geocontent.rvo.nl which currently gets a 97% score but the problem is it does get a :heavy_check_mark: for HTTP->HTTPS Redirect, while it has no HTTP support, nor HSTS preloading. The result is some other government website will accidentally link to http://geocontent.rvo.nl, and then the result if this is a dead link is dependent on the HSTS cache of the user! If the HSTS is preloaded, one does not need a HTTP->HTTPS Redirect, but in all other cases this is shooting yourself in the foot. So shouldn't not having a HTTP->HTTPS Redirect without HSTS preloading give a warning instead? The check is here: https://github.com/internetstandards/Internet.nl/blob/eaee12d9e9fa4ca8fa33ea798871c50d2cb067cb/checks/tasks/tls.py#L2912-L2952 So no HTTP supports takes the branch:
Which gets full points: https://github.com/internetstandards/Internet.nl/blob/eaee12d9e9fa4ca8fa33ea798871c50d2cb067cb/checks/scoring.py#L92 And
ForcedHttpsStatus.no_http
does not trigger a warning either. However to create a warning, the code needs a rewrite?