[HTTPS-Everywhere] Stupid Perl Tricks: ssl_check2.pl

Whizz Mo https at whizzmo.com
Thu Nov 4 19:06:51 PDT 2010 

In case no one has bothered to write this already, attached is a simple perl
script to check an http url for https compatibility.
This script:

   1. fetches the http url
   2. parses it for fetchable links (images, scripts, frames, other hrefs)
   3. fetches the fetchable links in http and https
   4. compares the http and https responses.
   5. prints report.      (See attached text file for a sample)

Usage:
       perl ssl_check2.pl http://somesite.com/

Output is currently command-line only.   (Do not run this script from the
Windows Run Command box.)

Caveats:

   - This is very quick and dirty code, and should be considered
   "experimental".  May format your hard drive, kick your dog, steal your
   truck, and run off with your wife.
   - This script will parse a frame url, but will not (recursively) parse
   the content of the frame.  [To-do list]




Thanks,
Whizz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101104/2fa615d3/attachment.html>
-------------- next part --------------
Getting http://slashdot.org/ ...Done.
  Got 117515 bytes in 1 secs (117515 bytes / sec)
  Found 4 reference(s) to check.

Checking reference URLs...
  1    YAY!  HTTPS appears ok for https://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1 .
  2    sad.  HTTPS hash does NOT match HTTP hash for https://jlinks.industrybrains.com/jsct?sid=941&ct=slashdot_ros&num=3&layt=300x250imgad&fmt=simp.
         ... but the first 1058 / 8670 bytes are the same!  Manual check required.
        Here are 80 bytes from both strings, starting at offset 1048:
                http:  mp;lid=682045&cid=151113&pr=2&tstamp=20101104214514&iip=260.309.
                https:  mp;lid=685533&cid=151895&pr=2&tstamp=20101104214515&iip=260.309.
  3    zzz.  HTTPS request timeout.  Added rss.slashdot.org to badhosts list.
  4    YAY!  HTTPS appears ok for https://slashdot.org/ .




Results:
        Total links: 4
        Working links: 2 (50%)
        Semi-working links: 1 (25%) [See "HTTPS possible urls" below]
        Non-Working links: 1 (25%)
          HTTP request fail: 0
          HTTPS request fail: 1 (25%)
          Hash mismatch: 1 (25%)
          Links with a known-bad host: 0

        Bad hosts:
          rss.slashdot.org

        HTTPS OK urls:
          https://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1
          https://slashdot.org/

        HTTPS possible urls:
          https://jlinks.industrybrains.com/jsct?sid=941&ct=slashdot_ros&num=3&layt=300x250imgad&fmt=simp

        HTTPS fail urls:
          https://rss.slashdot.org/slashdot/slashdot


Verdict: This page IS NOT a candidate for *simple* domain-wide forced encryption, but may be a candidate for URL-rewriting or path-based forcing.  More research is required.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ssl_check2.pl
Type: application/octet-stream
Size: 10796 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101104/2fa615d3/attachment.obj>

More information about the HTTPS-everywhere mailing list