Open source collaboration across agencies to improve HTTPS deployment

This is a very small detail in that post but it captures quite well what officialdom is to me, what separates GSA and 18F from other digital efforts: the inclusion of the “tribal” scale in the list of levels of authority. 18F makes things so that many people can use the Internet including, explicitly, the administration of First Nations.<p>I’ve complained a lot about how US-based company do not thing about non-US users enough (that common rant is obviously not applicable to GSA, although American abroad, immigrants and foreign visitors probably quality) but in that rant, I have forgotten the original Americans. Shame on me. I have never heard of any start-up asking “What about First Nations? Do we support Cherokee alphabet? Is there a Sioux exception for the law that we are enforcing in that form?”

pshtt (the HTTPS scanning tool) also powers the results for Freedom of the Press Foundation&#x27;s recently launched Secure The News project: <a href="https:&#x2F;&#x2F;securethe.news" rel="nofollow">https:&#x2F;&#x2F;securethe.news</a>. (Full disclosure: I work for FPF, and worked on Secure the News).<p>It&#x27;s a promising project, and could use more contributors if anyone here is interested: <a href="https:&#x2F;&#x2F;github.com&#x2F;dhs-ncats&#x2F;pshtt&#x2F;issues" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dhs-ncats&#x2F;pshtt&#x2F;issues</a> for ideas!

I was happy to notice not long ago that apod.nasa.gov is now served over HTTPS with a Let&#x27;s Encrypt certificate. Even OP link is!

One thing I noticed going through the list linked in the page is, many of these .gov pages host _both_ www and no-www versions, making them essentially two different websites with the same content. Example: <a href="http:&#x2F;&#x2F;abilityone.gov&#x2F;" rel="nofollow">http:&#x2F;&#x2F;abilityone.gov&#x2F;</a> and <a href="http:&#x2F;&#x2F;www.abilityone.gov&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.abilityone.gov&#x2F;</a> It looks like the clear guidelines around this is something missing. I know of certain countries whose .gov domains are almost 99% www and they don’t serve no-www at all.

Thanks for the work that you&#x27;re doing on this and answering questions. I had never seen many of the neat things mentioned in the blog post.<p>While the article did a good job explaining how pshtt works and how it generates data for the reporting, it didn&#x27;t dive too much into the scanning itself. Since this is posted on Hacker News, I&#x27;d love to hear more about the nitty gritty of the data collection itself.<p>Can you talk about what sort of setup you run, and what sort of technical and interdepartmental challenges you run into scanning, storing, and obtaining data for 1,143 government websites?

I like it how <a href="https:&#x2F;&#x2F;pulse.cio.gov&#x2F;" rel="nofollow">https:&#x2F;&#x2F;pulse.cio.gov&#x2F;</a> does not work because its certificate is issued for cloudfront.net

Heyo, ^ blogger here. Happy to chat.

this combines some really important checks. I might be able to remove my .bashrc hack ...<p><pre><code> function certchain() { # Usage: certchain # Display PKI chain-of-trust for a given domain # GistID: https:&#x2F;&#x2F;gist.github.com&#x2F;joshenders&#x2F;cda916797665de69ebcd if [[ &quot;$#&quot; -ne 1 ]]; then echo &quot;Usage: ${FUNCNAME} &lt;ip|domain[:port]&gt;&quot; return 1 fi local host_port=&quot;$1&quot; if [[ &quot;$1&quot; != *:* ]]; then local host_port=&quot;${1}:443&quot; fi openssl s_client -connect &quot;${host_port}&quot; &lt;&#x2F;dev&#x2F;null 2&gt;&#x2F;dev&#x2F;null | grep -E &#x27;\ (s|i):&#x27; }</code></pre>

How mature is pshtt?