GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ cisagov β†’ Pshtt

cisagov / Pshtt

Licence: cc0-1.0
Scan domains and return data based on HTTPS best practices

Programming Languages

python
139335 projects - #7 most used programming language

Labels

https

Projects that are alternatives of or similar to Pshtt

Pwa Wp
WordPress feature plugin to bring Progressive Web Apps (PWA) to Core
Stars: ✭ 445 (-25.46%)
Mutual labels:  https
Localdots
HTTPS domains for localhost. 🏠
Stars: ✭ 486 (-18.59%)
Mutual labels:  https
Hstspreload.org
πŸ”’ Chromium's HSTS preload list submission website.
Stars: ✭ 548 (-8.21%)
Mutual labels:  https
Encrypted Dns
Configuration profiles for DNS HTTPS and DNS over TLS for iOS 14 and MacOS Big Sur
Stars: ✭ 455 (-23.79%)
Mutual labels:  https
Telegraph
Secure Web Server for iOS, tvOS and macOS
Stars: ✭ 474 (-20.6%)
Mutual labels:  https
Cpp Httplib
A C++ header-only HTTP/HTTPS server and client library
Stars: ✭ 6,173 (+934%)
Mutual labels:  https
Purest
REST API Client Library
Stars: ✭ 448 (-24.96%)
Mutual labels:  https
Blinksocks
A framework for building composable proxy protocol stack.
Stars: ✭ 587 (-1.68%)
Mutual labels:  https
Ansible Role Certbot
Ansible Role - Certbot (for Let's Encrypt)
Stars: ✭ 477 (-20.1%)
Mutual labels:  https
Tor2web
Tor2web is an HTTP proxy software that enables access to Tor Hidden Services by mean of common web browsers
Stars: ✭ 531 (-11.06%)
Mutual labels:  https
Wordpress Nginx Docker Compose
Run WordPress with nginx using Docker Compose.
Stars: ✭ 460 (-22.95%)
Mutual labels:  https
Eiblog
a fast blog system in golang
Stars: ✭ 472 (-20.94%)
Mutual labels:  https
Http
Event-driven, streaming HTTP client and server implementation for ReactPHP.
Stars: ✭ 507 (-15.08%)
Mutual labels:  https
Phin
Node HTTP client
Stars: ✭ 449 (-24.79%)
Mutual labels:  https
Http Client
Async HTTP/1.1+2 client for PHP based on Amp.
Stars: ✭ 553 (-7.37%)
Mutual labels:  https
Curl
A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, POP3, POP3S, RTMP, RTMPS, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET and TFTP. libcurl offers a myriad of powerful features
Stars: ✭ 22,875 (+3731.66%)
Mutual labels:  https
Opendirectorydownloader
Indexes open directories
Stars: ✭ 502 (-15.91%)
Mutual labels:  https
Fast Android Networking
πŸš€ A Complete Fast Android Networking Library that also supports HTTP/2 πŸš€
Stars: ✭ 5,346 (+795.48%)
Mutual labels:  https
Dockerswarm.rocks
Docker Swarm mode rocks! Ideas, tools and recipes. Get a production-ready, distributed, HTTPS served, cluster in minutes, not weeks.
Stars: ✭ 584 (-2.18%)
Mutual labels:  https
Cppserver
Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution
Stars: ✭ 528 (-11.56%)
Mutual labels:  https
View All Similar Projects βž”

Pushing HTTPS πŸ”’

Latest Version Build Status Coverage Status Total alerts Language grade: Python

pshtt ("pushed") is a tool to scan domains for HTTPS best practices. It saves its results to a CSV (or JSON) file.

pshtt was developed to push organizations β€” especially large ones like the US Federal Government πŸ‡ΊπŸ‡Έ β€” to adopt HTTPS across the enterprise. Federal agencies must comply with M-15-13, a 2015 memorandum from the White House Office of Management and Budget, and BOD 18-01, a 2017 directive from the Department of Homeland Security, which require federal agencies to enforce HTTPS on their public web services. Much has been done, but there's more yet to do.

pshtt is a collaboration between the Cyber and Infrastructure Security Agency's National Cybersecurity Assessments and Technical Services (NCATS) team and the General Service Administration's 18F team, with contributions from NASA, Lawrence Livermore National Laboratory, and various non-governmental organizations.

Getting Started

pshtt requires Python 3.6 or 3.7+. Python 2 is not supported.

pshtt can be installed as a module, or run directly from the repository.

Installed as a module

pshtt can be installed directly via pip:

pip install pshtt

It can then be run directly:

pshtt example.com [options]

Running directly

To run the tool locally from the repository, without installing, first install the requirements:

pip install -r requirements.txt

Then run it as a module via python -m:

python -m pshtt.cli example.com [options]

Usage and examples

pshtt [options] DOMAIN...
pshtt [options] INPUT

pshtt dhs.gov
pshtt --output=homeland.csv --debug dhs.gov us-cert.gov usss.gov
pshtt --sorted current-federal.csv

Note: if INPUT ends with .csv, domains will be read from the first column of the CSV. CSV output will always be written to disk (unless --json is specified), defaulting to results.csv.

Options

  -h --help                     Show this message.
  -s --sorted                   Sort output by domain, A-Z.
  -o --output=OUTFILE           Name output file. (Defaults to "results".)
  -j --json                     Get results in JSON. (Defaults to CSV.)
  -m --markdown                 Get results in Markdown. (Defaults to CSV.)
  -d --debug                    Print debug output.
  -u --user-agent=AGENT         Override user agent.
  -t --timeout=TIMEOUT          Override timeout (in seconds).
  -c --cache-third-parties=DIR  Cache third party data, and what directory to cache it in.
  -f --ca-file=PATH             Specify custom CA bundle (PEM format)
Using your own CA Bundle

By default, pshtt relies on the root CAs that are trusted in the Mozilla root store. If you work behind a corporate proxy or have your own certificates that aren't publicly trusted, you can specify your own CA bundle:

pshtt --ca-file=/etc/ssl/ca.pem server.internal-location.gov
Using Docker (optional)
./run [opts]

opts are the same arguments that would get passed to pshtt.

What's Checked?

A domain is checked on its four endpoints:

  • http://
  • http://www
  • https://
  • https://www

The following values are returned in results.csv:

Domain and redirect info

  • Domain - The domain you're scanning!
  • Base Domain - The base domain of Domain. For example, for a Domain of sub.example.com, the Base Domain will be example.com. Usually this is the second-level domain, but pshtt will download and factor in the Public Suffix List when calculating the base domain. (To cache the Public Suffix List, use --suffix-cache as documented above.)
  • Canonical URL - One of the four endpoints described above; a judgment call based on the observed redirect logic of the domain.
  • Live - The domain is "live" if any endpoint is live.
  • HTTPS Live - The domain is "HTTPS live" if any HTTPS endpoint is live.
  • HTTPS Full Connection - The domain is "fully connected" if any HTTPS endpoint is fully connected. A "fully connected" HTTPS endpoint is one with which pshtt could make a full TLS connection.
  • HTTPS Client Auth Required - A domain requires client authentication if any HTTPS endpoint requires it for a full TLS connection.
  • Redirect - The domain is a "redirect domain" if at least one endpoint is a redirect, and all endpoints are either redirects or down.
  • Redirect to - If a domain is a "redirect domain", where does it redirect to?

Landing on HTTPS

  • Valid HTTPS - A domain has "valid HTTPS" if it responds on port 443 at the hostname in its Canonical URL with an unexpired valid certificate for the hostname. This can be true even if the Canonical URL uses HTTP.
  • HTTPS Publicly Trusted - A domain is "publicly trusted" if its canonical endpoint has a publicly trusted certificate.
  • HTTPS Custom Truststore Trusted - A domain is "custom truststore trusted" if its canonical endpoint has a certificate that is trusted by the custom truststore.
  • Defaults to HTTPS - A domain "defaults to HTTPS" if its canonical endpoint uses HTTPS.
  • Downgrades HTTPS - A domain "downgrades HTTPS" if HTTPS is supported in some way, but its canonical HTTPS endpoint immediately redirects internally to HTTP.
  • Strictly Forces HTTPS - This is different than whether a domain "defaults" to HTTPS. A domain "Strictly Forces HTTPS" if one of the HTTPS endpoints is "live", and if both HTTP endpoints are either down or redirect immediately to any HTTPS URI. An HTTP redirect can go to HTTPS on another domain, as long as it's immediate. (A domain with an invalid cert can still be enforcing HTTPS.)

Common errors

  • HTTPS Bad Chain - A domain has a bad chain if either HTTPS endpoint contains a bad chain.
  • HTTPS Bad Hostname - A domain has a bad hostname if either HTTPS endpoint fails hostname validation.
  • HTTPS Expired Cert - A domain has an expired certificate if either HTTPS endpoint has an expired certificate.
  • HTTPS Self-Signed Cert - A domain has a self-signed certificate if either HTTPS endpoint has a self-signed certificate.
  • HTTPS Probably Missing Intermediate Cert - A domain is "probably missing intermediate certificate" if the canonical HTTPS endpoint is probably missing an intermediate certificate.

HSTS

  • HSTS - A domain has HTTP Strict Transport Security enabled if its canonical HTTPS endpoint has HSTS enabled.
  • HSTS Header - This field provides a domain's HSTS header at its canonical endpoint.
  • HSTS Max Age - A domain's HSTS max-age is its canonical endpoint's max-age.
  • HSTS Entire Domain - A domain has HSTS enabled for the entire domain if its root HTTPS endpoint (not the canonical HTTPS endpoint) has HSTS enabled and uses the HSTS includeSubDomains flag.
  • HSTS Preload Ready - A domain is HSTS "preload ready" if its root HTTPS endpoint (not the canonical HTTPS endpoint) has HSTS enabled, has a max-age of at least 18 weeks, and uses the includeSubDomains and preload flag.
  • HSTS Preload Pending - A domain is "preload pending" when it appears in the Chrome preload pending list with the include_subdomains flag equal to true. The intent of pshtt is to make sure that the user is fully protected, so it only counts domains as HSTS preloaded if they are fully HSTS preloaded (meaning that all subdomains are included as well).
  • HSTS Preloaded - A domain is HSTS preloaded if its domain name appears in the Chrome preload list with the include_subdomains flag equal to true, regardless of what header is present on any endpoint. The intent of pshtt is to make sure that the user is fully protected, so it only counts domains as HSTS preloaded if they are fully HSTS preloaded (meaning that all subdomains are included as well).
  • Base Domain HSTS Preloaded - A domain's base domain is HSTS preloaded if its base domain appears in the Chrome preload list with the include_subdomains flag equal to true. This is subtly different from HSTS Entire Domain, which inspects headers on the base domain to see if HSTS is set correctly to encompass the entire zone.

Scoring

These three fields use the previous results to come to high-level conclusions about a domain's behavior.

  • Domain Supports HTTPS - A domain 'Supports HTTPS' when it doesn't downgrade and has valid HTTPS, or when it doesn't downgrade and has a bad chain but not a bad hostname (a bad hostname makes it clear the domain isn't actively attempting to support HTTPS, whereas an incomplete chain is just a mistake.). Domains with a bad chain "support" HTTPS but user-side errors can be expected.
  • Domain Enforces HTTPS - A domain that 'Enforces HTTPS' must 'Support HTTPS' and default to HTTPS. For websites (where Redirect is false) they are allowed to eventually redirect to an https:// URI. For "redirect domains" (domains where the Redirect value is true) they must immediately redirect clients to an https:// URI (even if that URI is on another domain) in order to be said to enforce HTTPS.
  • Domain Uses Strong HSTS - A domain 'Uses Strong HSTS' when the max-age β‰₯ 31536000.

General information

  • IP - The IP for the domain.
  • Server Header - The server header from the response for the domain.
  • Server Version - The server version, as extracted from the server header.
  • HTTPS Cert Chain Length - The certificate chain length for the canonical HTTPS endpoint.
  • Notes - A field where free-form notes about the domain can be stored.

Uncommon errors

  • Unknown Error - A Boolean value indicating whether or not an unexpected exception was encountered when testing the domain. The purpose of this field is to flag any odd websites for further debugging.

Troubleshooting

DNS Blackhole / DNS Assist

One issue which can occur when running pshtt, particularly for home/residential networks, with standard ISPs is the use of "DNS Assist" features, a.k.a. "DNS Blackholes".

In these environments, you may see inconsistent results from pshtt owing to the fact that your ISP is attempting to detect a request for an unknown site without a DNS record and is redirecting you to a search page for that site. This means that an endpoint which should resolve as "not-alive", will instead resolve as "live", owing to the detection of the live search result page.

If you would like to disable this "feature", several ISPs offer the ability to opt out of this service, and maintain their own instructions for doing so:

Who uses pshtt?

Acknowledgements

This code was modeled after Ben Balter's site-inspector, with significant guidance from Eric Mill.

Public domain

This project is in the worldwide public domain.

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].