Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HSTS Preloaded is reporting False incorrectly #156

Closed
sjparkinson opened this issue Mar 5, 2018 · 6 comments
Closed

HSTS Preloaded is reporting False incorrectly #156

sjparkinson opened this issue Mar 5, 2018 · 6 comments

Comments

@sjparkinson
Copy link

Running pshtt --markdown ft.com you get...

Domain Base Domain Canonical URL Live Redirect Redirect To Valid HTTPS Defaults to HTTPS Downgrades HTTPS Strictly Forces HTTPS HTTPS Bad Chain HTTPS Bad Hostname HTTPS Expired Cert HTTPS Self Signed Cert HSTS HSTS Header HSTS Max Age HSTS Entire Domain HSTS Preload Ready HSTS Preload Pending HSTS Preloaded Base Domain HSTS Preloaded Domain Supports HTTPS Domain Enforces HTTPS Domain Uses Strong HSTS Unknown Error
ft.com ft.com https://www.ft.com True False None True True False True False False False False True max-age=63072000; includeSubDomains; preload 63072000 False False False False False True True True False

When both ft.com, and www.ft.com are in fact included in the preload list.

Bit of an edge case I know, but thought it was worth raising as sites like https://securethe.news depend on this tool.

This is because of ...

https://github.com/dhs-ncats/pshtt/blob/8b0e01b2714816881881612ae3b01c3d7e75874e/pshtt/pshtt.py#L1111-L1113

... in combination with ...

https://github.com/dhs-ncats/pshtt/blob/8b0e01b2714816881881612ae3b01c3d7e75874e/pshtt/pshtt.py#L948-L961

The canonical domain for the FT is www.ft.com, not ft.com which is being assumed in is_hsts_preloaded.
@jsf9k
Copy link
Member

jsf9k commented Mar 5, 2018

Thanks for the issue, @sjparkinson! I think the intent of pshtt is to be strict and only count domains as HSTS preloaded if they are fully HSTS preloaded (meaning that all subdomains are included as well). This is because we only want to give the thumbs up to domains that fully protect the user. That said, this code is two years old and long predates my involvement with pshtt. As a result I'd like to hear what @konklone and @h-m-f-t think.

@konklone
Copy link
Collaborator

konklone commented Mar 6, 2018

That's right - pshtt is measuring whether the zone is preloaded, not just the hostname being scanned. That calculation is then used downstream by consuming reports, and has an impact on how subdomains of that zone are measured. For that reason, we intentionally scoped it to count only preload entries where include_subdomains is true.

@sjparkinson
Copy link
Author

Sounds like a totally fair answer to me. Was not entirely sure if it was intentional, so thanks for clarifying!

@jsf9k
Copy link
Member

jsf9k commented Mar 6, 2018

Closing, since the @sjparkinson's question was answered.

@jsf9k jsf9k closed this as completed Mar 6, 2018
@IanLee1521
Copy link
Collaborator

Would it be worth updating the README to specify as much for the "HSTS Preloaded" description?

@jsf9k
Copy link
Member

jsf9k commented Mar 8, 2018

Yes, and I just did that. See #157.

cisagovbot pushed a commit that referenced this issue Jul 30, 2024
@mcdonnnj
Merge pull request #156 from cisagov/improvement/better_support_merge…
c0043bd 
…_queues

Improve merge queue support
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@konklone @sjparkinson @IanLee1521 @jsf9k