Author Topic: Browserscope security test - Chrome beats CD  (Read 9473 times)

Offline n01paranoid

  • Comodo Family Member
  • ***
  • Posts: 67
Browserscope security test - Chrome beats CD
« on: February 21, 2012, 03:20:55 PM »
I've just run the Browserscope security test and Google Chrome scored 16/17 and CD 15/17. They both failed the toStaticHTML test, but CD also failed the Strict Transport Security test but Chrome passed. Can either of these be rectified in CD?

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 655
    • Comodo Technical Support
Re: Browserscope security test - Chrome beats CD
« Reply #1 on: February 21, 2012, 04:41:59 PM »
I've just run the Browserscope security test and Google Chrome scored 16/17 and CD 15/17. They both failed the toStaticHTML test, but CD also failed the Strict Transport Security test but Chrome passed. Can either of these be rectified in CD?

Dragon doesn't ship with a pre-loaded list for Strict Transport like Chrome does, but you're more than welcome to add them yourself via: dragon://net-internals/#hsts (This is only for power/adv. users)

Since Chrome doesn't even support 'toStaticHTML', chances are Dragon will have it when Chromium/Chrome does.

Offline brightness

  • Comodo Loves me
  • ****
  • Posts: 154
Re: Browserscope security test - Chrome beats CD
« Reply #2 on: February 23, 2012, 01:04:02 AM »
Dragon doesn't ship with a pre-loaded list for Strict Transport like Chrome does, but you're more than welcome to add them yourself via: dragon://net-internals/#hsts (This is only for power/adv. users)

Since Chrome doesn't even support 'toStaticHTML', chances are Dragon will have it when Chromium/Chrome does.

How about preloading Strict Transport list into CD?

Offline n01paranoid

  • Comodo Family Member
  • ***
  • Posts: 67
Re: Browserscope security test - Chrome beats CD
« Reply #3 on: February 25, 2012, 01:24:57 PM »
Dragon doesn't ship with a pre-loaded list for Strict Transport like Chrome does, but you're more than welcome to add them yourself via: dragon://net-internals/#hsts (This is only for power/adv. users)

Could someone explain how to in non power user terms so I can do it myself?. Thanks

Online Chiron

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11066
Re: Browserscope security test - Chrome beats CD
« Reply #4 on: February 26, 2012, 01:29:09 AM »
Dragon doesn't ship with a pre-loaded list for Strict Transport like Chrome does, but you're more than welcome to add them yourself via: dragon://net-internals/#hsts (This is only for power/adv. users)
I'm wondering then, why doesn't CD include these by default when Chrome does? What is the downside of including this?

Thanks.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Browserscope security test - Chrome beats CD
« Reply #5 on: February 26, 2012, 02:29:26 AM »
The pre-loaded list of sites in chrome can be found here The link at the bottom of that page takes you to the ongoing code review for additional sites.

To manage HSTS sites in Dragon, open:

about:net-internals  then select HSTS

You can check if a site is pre-loaded by using the Query domain option and you can add sites by using the Add domain. Be careful selecting the 'include sub-domains' option. Also remember, for HSTS to work, the web site has to have a HSTS policy enabled.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline n01paranoid

  • Comodo Family Member
  • ***
  • Posts: 67
Re: Browserscope security test - Chrome beats CD
« Reply #6 on: February 26, 2012, 04:54:24 AM »
1) I've entered all the sites on the preloaded Chrome HSTS list but Dragon still fails the Browserscope Strict Transport Security test.

2) I have the add on Use HTTPS enabled. Does this not perform a similar function as HSTS and, if so, why does CD still fail the test?

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 655
    • Comodo Technical Support
Re: Browserscope security test - Chrome beats CD
« Reply #7 on: February 26, 2012, 07:51:04 PM »
2) I have the add on Use HTTPS enabled. Does this not perform a similar function as HSTS and, if so, why does CD still fail the test?

CD fails most likely due to a bug within whomever created the test. You may want to inquire with them for resolution.

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Browserscope security test - Chrome beats CD
« Reply #8 on: February 26, 2012, 08:28:58 PM »
CD fails most likely due to a bug within whomever created the test. You may want to inquire with them for resolution.

That's a bit thin Sal, every other Chrome clone passes the test, even Rockmelt. Dragon is the only clone to fail.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 655
    • Comodo Technical Support
Re: Browserscope security test - Chrome beats CD
« Reply #9 on: February 26, 2012, 10:59:42 PM »
That's a bit thin Sal, every other Chrome clone passes the test, even Rockmelt. Dragon is the only clone to fail.
I'm sorry what is your point? Bugs exist in all software. According to everything I have seen and tested this appears to be a bug within BrowserScope and not Dragon. Other than this 'test' do you have any formidable proof that Dragon has a problem?

Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Browserscope security test - Chrome beats CD
« Reply #10 on: February 26, 2012, 11:21:20 PM »
I'm sorry what is your point? Bugs exist in all software. According to everything I have seen and tested this appears to be a bug within BrowserScope and not Dragon. Other than this 'test' do you have any formidable proof that Dragon has a problem?


Ok! The fact that all the other clones pass and Dragon doesn't, obviously points to a bug in their software. Perhaps i should also point out that firefox and Opera 12 also pass the test, but you'll probably dismiss that too.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 655
    • Comodo Technical Support
Re: Browserscope security test - Chrome beats CD
« Reply #11 on: February 27, 2012, 12:23:31 AM »
Ok! The fact that all the other clones pass and Dragon doesn't, obviously points to a bug in their software. Perhaps i should also point out that firefox and Opera 12 also pass the test, but you'll probably dismiss that too.

Honestly that's not enough to go on as it isn't solid enough. (Clones pass but one such clone [ Dragon ] doesn't.) You have NO concrete proof other than this 'test' to back up your claim. Have you performed your own tests based on W3C spec or anything else?

The test that browserscope uses in its test is: https://www.pwdhash.com/browserscope/set-sts.php , which has a header of 'Strict-Transport-Security: max-age=5' set for that page.

This is an independent 3rd party who has created the test. It is wise that one raise issues with the test with those who created it (BrowserScope). If indeed it is Dragon that is the problem then those at 'BrowserScope' would be the ones to contact us. :P


Offline Radaghast

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 4068
Re: Browserscope security test - Chrome beats CD
« Reply #12 on: February 27, 2012, 12:51:11 AM »
Honestly that's not enough to go on as it isn't solid enough. (Clones pass but one such clone [ Dragon ] doesn't.) You have NO concrete proof other than this 'test' to back up your claim. Have you performed your own tests based on W3C spec or anything else?

I'm not "claiming" anything, nor is it my place to perform additional tests, to either prove or disprove, the validity of the test that Dragon fails. I'm merely pointing out that every other browser, currently supporting Strict Transport security, passes. 

Quote
The test that browserscope uses in its test is: https://www.pwdhash.com/browserscope/set-sts.php , which has a header of 'Strict-Transport-Security: max-age=5' set for that page.

Which clearly is irrelevant for every other browser passing the test.

Quote
This is an independent 3rd party who has created the test. It is wise that one raise issues with the test with those who created it (BrowserScope). If indeed it is Dragon that is the problem then those at 'BrowserScope' would be the ones to contact us. :P

I guess 'passing the buck' is one approach  :P


“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.”

Offline dicks

  • Comodo Member
  • **
  • Posts: 26
Re: Browserscope security test - Chrome beats CD
« Reply #13 on: February 27, 2012, 03:05:48 AM »
I'm really shocked to read this thread and the way Comodo reacts to it. This is definitely the WRONG attitude guys.

Take ownership and show that you care instead of sending users away with a "it is not our fault" reply. Clearly something is not right (if the test results are as quoted).

Very very weak Comodo, you can't do better than this?

Offline Sal Amander

  • Comodo Staff
  • Comodo's Hero
  • *****
  • Posts: 655
    • Comodo Technical Support
Re: Browserscope security test - Chrome beats CD
« Reply #14 on: February 27, 2012, 08:11:09 AM »
I'm really shocked to read this thread and the way Comodo reacts to it. This is definitely the WRONG attitude guys.

Just because I work for Comodo, doesn't make me Comodo.

Take ownership and show that you care instead of sending users away with a "it is not our fault" reply. Clearly something is not right (if the test results are as quoted).

Very very weak Comodo, you can't do better than this?

How do you know that 'BrowserScope' isn't the one flawed here? They're the ones that created the test, not Comodo. They have their own bug reporting system for a reason. If their system is broken, they need to know about it!

See this 'Issue' reported to the Chromium Devs for BrowserScope.

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek