Open
Fix downgrades_https? to detect any HTTPS→HTTP redirect#106
Conversation
Changed downgrades_https? to check if ANY HTTPS endpoint redirects to HTTP, not just the canonical endpoint. This fixes the issue where domains like nytimes.com were not detected as downgrading HTTPS because their canonical endpoint was HTTP. Added comprehensive tests for the new behavior including: - Detection when canonical HTTPS endpoint downgrades - Detection when non-canonical HTTPS endpoint downgrades (nytimes.com case) - Verification that HTTPS-only domains don't show as downgrading - Verification that HTTPS-to-HTTPS redirects don't show as downgrading Co-authored-by: benbalter <282759+benbalter@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix downgrades HTTPS logic for appropriate site handling
Fix downgrades_https? to detect any HTTPS→HTTP redirect
Jan 15, 2026
benbalter
marked this pull request as ready for review
January 15, 2026 20:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
downgrades_https?method only checked the canonical endpoint for HTTPS downgrades. This failed to detect cases where an HTTPS endpoint redirects to HTTP but the canonical endpoint is already HTTP (e.g.,https://nytimes.com→http://www.nytimes.com).Changes
lib/site-inspector/domain.rb: Changed logic from checking only canonical endpoint to checking all HTTPS endpointsspec/site_inspector/domain_spec.rb: Added test coverage for:Example
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
3.116.82.140.in-addr.arpa/usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/site-inspector/site-inspector/vendor/bundle/ruby/3.2.0/bin/rspec --format documentation ec _64-linux-gnu/ru-I -plugin-opt=/usr/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -plugin-opt=-pasas vendor/bundle/ru-I -plugin-opt=-pas. x86_64-linux-gnu-I -o by-3.2.0 -I/usr/include/x/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -I/usr/include/rbash vendor/bundle/ru--norc -Wdate-time y-3.2.0(dns block)example.com/usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/site-inspector/site-inspector/vendor/bundle/ruby/3.2.0/bin/rspec --format documentation ec _64-linux-gnu/ru-I -plugin-opt=/usr/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -plugin-opt=-pasas vendor/bundle/ru-I -plugin-opt=-pas. x86_64-linux-gnu-I -o by-3.2.0 -I/usr/include/x/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -I/usr/include/rbash vendor/bundle/ru--norc -Wdate-time y-3.2.0(dns block)whois.verisign-grs.com/usr/bin/ruby3.2 ruby3.2 /home/REDACTED/work/site-inspector/site-inspector/vendor/bundle/ruby/3.2.0/bin/rspec --format documentation ec _64-linux-gnu/ru-I -plugin-opt=/usr/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -plugin-opt=-pasas vendor/bundle/ru-I -plugin-opt=-pas. x86_64-linux-gnu-I -o by-3.2.0 -I/usr/include/x/usr/include/ruby-3.2.0/ruby/backward vendor/bundle/ru-I -I/usr/include/rbash vendor/bundle/ru--norc -Wdate-time y-3.2.0(dns block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
This section details on the original issue you should resolve
<issue_title>downgrades_https logic doesn't make sense</issue_title>
<issue_description>As described in #83 (comment):
This is not a useful definition of "downgrades HTTPS". Any site that supports HTTPS but redirects to HTTP should be considered to "downgrade HTTPS".
For example, take https://nytimes.com:
Here, the "canonical" endpoint is
http://www.nytimes.com. Requests tohttps://{www.,}nytimes.comalways redirect tohttp://www.nytimes.com. Clearly the site downgrades HTTPS. However:</issue_description>
Comments on the Issue (you are @copilot in this section)
@konklone @garrettr Are you using 1.0.2 (which is what pulse.cio.gov uses), or 3.X (which is what the comment you link to refers to)? It looks like you're using 3.X, which I've not personally thoroughly tested or deployed.1.0.2 uses the same documented rule, that it only considers the canonical endpoint: https://github.com/benbalter/site-inspector/blob/erics-mode/lib/site-inspector.rb#L346-L358
But as you demonstrated, nytimes.com's canonical endpoint redirects to HTTP, so it should be marked as downgrading HTTPS either way. And in 1.0.2, it does appear to do so:
Yields, among the JSON results:
This seems to be a regression in 3.X.
I do think the definition of "downgrades HTTPS", when applied to a "domain", should only consider the canonical endpoint. If the NYT's canonical endpoint was https://www.nytimes.com and it didn't redirect down to HTTP, but for some reason https://nytimes.com redirected down to http://nytimes.com (perhaps as some intermediate redirect to the www version), then I would want to say that the nytimes.com domain "enforces HTTPS", even though it's possible to access it in a non-canonical way over HTTP.
@benbalter To be clear, the 3.x branch is the latest release, and is the only one currently supported. I'd be glad to get a fix together for the 3.x branch if there is a regression or should be a change in behavior.@garrettr, @konklone what is the expected/preferred behavior here? Logically, if an endpoint redirects from HTTPS to HTTP, it by definition, wouldn't be the canonical endpoint. Perhaps the definition should be if any endpoint redirects from HTTPS to HTTP? Alternatively, we could only look if the HTTPS equivalent of the canonical domain redirects to HTTP.
What if it redirects from HTTPS to HTTPS, but with an HTTP intermediary? E.g.:
https://nytimes.comredirects tohttp://www.nytimes.comhttp://www.nytime.comredirects tohttps://www.nytimes.comEdit Wrong @garrettr
@benbalter Eek. Thanks @garethr. Sorry for the noise. @konklone For reference, DHS has begun a Python-based tool that tackles only this issue, of analyzing HTTPS behavior on domains to come up with the same conclusions that are currently on pulse.cio.gov:https://github.com/dhs-ncats/pshtt
Our team at 18F is contributing, and hoping to end up using the same toolchain as DHS. The code isn't ready for use in Pulse yet, but it's seeing active work and should hopefully get there soon.
@konklone Some starting work on integrating to `domain-scan` is here: https://github.com/18F/domain-scan/pull/76But as I say in it, there's still some more work to go before they're at feature and logical parity.
@benbalter > the same conclusions that are currently on pulse.cio.gov@konklone could I trouble you to elaborate on those, in reference to the above question (regarding when HTTPS is downgraded)?
@benbalter > if a site has an HTTPS endpoint, but redirects it to HTTP, then it should be considered to "downgrade HTTPS".👍
@konklone Our methodology i...💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.