[HTTPS-Everywhere] Stupid Perl Tricks: ssl_check2.pl

Peter Eckersley pde at eff.org
Wed Nov 10 17:48:59 PST 2010 

Whizz, this script is great but I'm wondering if it's still somewhat buggy... 

perl ./ssl_check2.pl http://twitter.com

Getting http://twitter.com ...Done.
  Got 44511 bytes in 1 secs (44511 bytes / sec)
  Found 29 reference(s) to check.

Checking reference URLs...
  1    zzz.  HTTPS request timeout.  Added a0.twimg.com to badhosts list.g
  2    Skipping url http://a0.twimg.com/a/1289339734/images/whatsnew/video-sample-ss.png (known-bad host a0.twimg.com).
  3    Skipping url http://a0.twimg.com/a/1289339734/javascripts/widgets/widget.js?1289366423 (known-bad host a0.twimg.com).
  4    Skipping url http://a0.twimg.com/profile_images/118608576/twitter_sc_logo_normal.jpg (known-bad host a0.twimg.com).
  5    Skipping url http://a0.twimg.com/profile_images/120242004/finaltwitter_normal.jpg (known-bad host a0.twimg.com).
  6    Skipping url http://a0.twimg.com/profile_images/49918572/half-face-ice_normal.jpg (known-bad host a0.twimg.com).
  7    zzz.  HTTPS request timeout.  Added a1.twimg.com to badhosts list.
  8    Skipping url http://a1.twimg.com/a/1289339734/images/twitter_57.png (known-bad host a1.twimg.com).
  9    Skipping url http://a1.twimg.com/a/1289339734/stylesheets/fronts.css?1289366423 (known-bad host a1.twimg.com).
  10    Skipping url http://a1.twimg.com/profile_images/220756397/afwd-twitter-logo_normal.gif (known-bad host a1.twimg.com).
  11    Skipping url http://a1.twimg.com/profile_images/263029233/slide1_normal.jpg (known-bad host a1.twimg.com).
  12    Skipping url http://a1.twimg.com/profile_images/381297805/mobile_normal.png (known-bad host a1.twimg.com).
  13    Skipping url http://a1.twimg.com/profile_images/52564417/twitter_normal.jpg (known-bad host a1.twimg.com).
  14    Skipping url http://a1.twimg.com/profile_images/555579649/steve_case_wsj_normal.jpg (known-bad host a1.twimg.com).
  15    Skipping url http://a1.twimg.com/profile_images/601329413/twitter_logo_normal.jpg (known-bad host a1.twimg.com).
  16    Skipping url http://a1.twimg.com/profile_images/670252813/136489main_pia04413-feature-browse_normal.jpg (known-bad host a1.twimg.com).
  17    Skipping url http://a1.twimg.com/profile_images/727884617/rainbow_normal.jpg (known-bad host a1.twimg.com).
  18    Skipping url http://a1.twimg.com/profile_images/866556637/teatime__normal.jpg (known-bad host a1.twimg.com).
  19    zzz.  HTTPS request timeout.  Added a2.twimg.com to badhosts list.
  20    Skipping url http://a2.twimg.com/profile_images/1114845454/daily-parent-tip_normal.png (known-bad host a2.twimg.com).
  21    Skipping url http://a2.twimg.com/profile_images/264983646/2008_author_shot_copy_normal.jpg (known-bad host a2.twimg.com).
  22    Skipping url http://a2.twimg.com/profile_images/458966890/twitterprofilephoto_normal.jpg (known-bad host a2.twimg.com).
  23    Skipping url http://a2.twimg.com/profile_images/544732942/logorgb2_justh_normal.png (known-bad host a2.twimg.com).
  24    Skipping url http://a2.twimg.com/profile_images/91810842/ai_250x250_twit_normal.jpg (known-bad host a2.twimg.com).
  25    zzz.  HTTPS request timeout.  Added a3.twimg.com to badhosts list.g
  26    Skipping url http://a3.twimg.com/profile_images/291571823/unknown-6_normal.jpeg (known-bad host a3.twimg.com).
  27    Skipping url http://a3.twimg.com/profile_images/748445671/shopaneer-002-36x36_normal.jpg (known-bad host a3.twimg.com).
  28    zzz.  HTTPS request timeout.  Added ajax.googleapis.com to badhosts list.
  29    zzz.  HTTPS request timeout.  Added twitter.com to badhosts list.




Results:
	Total links: 29
	Working links: 0 
	Non-Working links: 29 (100%)
	  HTTP request fail: 0
	  HTTPS request fail: 6 (20.68%)
	  Hash mismatch: 0
	  Links with a known-bad host: 23 (79.31%)

	Bad hosts:
	  a0.twimg.com
	  a1.twimg.com
	  a2.twimg.com
	  a3.twimg.com
	  ajax.googleapis.com
	  twitter.com

	HTTPS fail urls:
	  
	  https://a0.twimg.com/a/1289339734/images/fronts/logo_withbird_home.png
	  https://a1.twimg.com/a/1289339734/images/favicon.ico
	  https://a2.twimg.com/a/1289339734/javascripts/fronts.js
	  https://a3.twimg.com/profile_images/1148176527/1110-twitter_normal.jpg
	  https://ajax.googleapis.com/ajax/libs/jquery/1.3.0/jquery.min.js
	  https://twitter.com


Verdict: Verdict: This page IS NOT a candidate for *simple* domain-wide forced encryption, but may be a candidate for URL-rewriting or path-based forcing.  More research is required.


On Thu, Nov 04, 2010 at 07:06:51PM -0700, Whizz Mo wrote:
> In case no one has bothered to write this already, attached is a simple perl
> script to check an http url for https compatibility.
> This script:
> 
>    1. fetches the http url
>    2. parses it for fetchable links (images, scripts, frames, other hrefs)
>    3. fetches the fetchable links in http and https
>    4. compares the http and https responses.
>    5. prints report.      (See attached text file for a sample)
> 
> Usage:
>        perl ssl_check2.pl http://somesite.com/
> 
> Output is currently command-line only.   (Do not run this script from the
> Windows Run Command box.)
> 
> Caveats:
> 
>    - This is very quick and dirty code, and should be considered
>    "experimental".  May format your hard drive, kick your dog, steal your
>    truck, and run off with your wife.
>    - This script will parse a frame url, but will not (recursively) parse
>    the content of the frame.  [To-do list]
> 
> 
> 
> 
> Thanks,
> Whizz

> Getting http://slashdot.org/ ...Done.
>   Got 117515 bytes in 1 secs (117515 bytes / sec)
>   Found 4 reference(s) to check.
> 
> Checking reference URLs...
>   1    YAY!  HTTPS appears ok for https://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1 .
>   2    sad.  HTTPS hash does NOT match HTTP hash for https://jlinks.industrybrains.com/jsct?sid=941&ct=slashdot_ros&num=3&layt=300x250imgad&fmt=simp.
>          ... but the first 1058 / 8670 bytes are the same!  Manual check required.
>         Here are 80 bytes from both strings, starting at offset 1048:
>                 http:  mp;lid=682045&cid=151113&pr=2&tstamp=20101104214514&iip=260.309.
>                 https:  mp;lid=685533&cid=151895&pr=2&tstamp=20101104214515&iip=260.309.
>   3    zzz.  HTTPS request timeout.  Added rss.slashdot.org to badhosts list.
>   4    YAY!  HTTPS appears ok for https://slashdot.org/ .
> 
> 
> 
> 
> Results:
>         Total links: 4
>         Working links: 2 (50%)
>         Semi-working links: 1 (25%) [See "HTTPS possible urls" below]
>         Non-Working links: 1 (25%)
>           HTTP request fail: 0
>           HTTPS request fail: 1 (25%)
>           Hash mismatch: 1 (25%)
>           Links with a known-bad host: 0
> 
>         Bad hosts:
>           rss.slashdot.org
> 
>         HTTPS OK urls:
>           https://b.scorecardresearch.com/p?c1=2&c2=6035546&c3=&c4=&c5=&c6=&c15=&cj=1
>           https://slashdot.org/
> 
>         HTTPS possible urls:
>           https://jlinks.industrybrains.com/jsct?sid=941&ct=slashdot_ros&num=3&layt=300x250imgad&fmt=simp
> 
>         HTTPS fail urls:
>           https://rss.slashdot.org/slashdot/slashdot
> 
> 
> Verdict: This page IS NOT a candidate for *simple* domain-wide forced encryption, but may be a candidate for URL-rewriting or path-based forcing.  More research is required.


> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere


-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993

More information about the HTTPS-everywhere mailing list