Browserscope security test - Chrome beats CD

I’ve just run the Browserscope security test and Google Chrome scored 16/17 and CD 15/17. They both failed the toStaticHTML test, but CD also failed the Strict Transport Security test but Chrome passed. Can either of these be rectified in CD?

Dragon doesn’t ship with a pre-loaded list for Strict Transport like Chrome does, but you’re more than welcome to add them yourself via: dragon://net-internals/#hsts (This is only for power/adv. users)

Since Chrome doesn’t even support ‘toStaticHTML’, chances are Dragon will have it when Chromium/Chrome does.

How about preloading Strict Transport list into CD?

Could someone explain how to in non power user terms so I can do it myself?. Thanks

I’m wondering then, why doesn’t CD include these by default when Chrome does? What is the downside of including this?

Thanks.

The pre-loaded list of sites in chrome can be found here The link at the bottom of that page takes you to the ongoing code review for additional sites.

To manage HSTS sites in Dragon, open:

about:net-internals then select HSTS

You can check if a site is pre-loaded by using the Query domain option and you can add sites by using the Add domain. Be careful selecting the ‘include sub-domains’ option. Also remember, for HSTS to work, the web site has to have a HSTS policy enabled.

  1. I’ve entered all the sites on the preloaded Chrome HSTS list but Dragon still fails the Browserscope Strict Transport Security test.

  2. I have the add on Use HTTPS enabled. Does this not perform a similar function as HSTS and, if so, why does CD still fail the test?

CD fails most likely due to a bug within whomever created the test. You may want to inquire with them for resolution.

That’s a bit thin Sal, every other Chrome clone passes the test, even Rockmelt. Dragon is the only clone to fail.

[attachment deleted by admin]

I’m sorry what is your point? Bugs exist in all software. According to everything I have seen and tested this appears to be a bug within BrowserScope and not Dragon. Other than this ‘test’ do you have any formidable proof that Dragon has a problem?

Ok! The fact that all the other clones pass and Dragon doesn’t, obviously points to a bug in their software. Perhaps i should also point out that firefox and Opera 12 also pass the test, but you’ll probably dismiss that too.

Honestly that’s not enough to go on as it isn’t solid enough. (Clones pass but one such clone [ Dragon ] doesn’t.) You have NO concrete proof other than this ‘test’ to back up your claim. Have you performed your own tests based on W3C spec or anything else?

The test that browserscope uses in its test is: https://www.pwdhash.com/browserscope/set-sts.php , which has a header of ‘Strict-Transport-Security: max-age=5’ set for that page.

This is an independent 3rd party who has created the test. It is wise that one raise issues with the test with those who created it (BrowserScope). If indeed it is Dragon that is the problem then those at ‘BrowserScope’ would be the ones to contact us. :stuck_out_tongue:

I’m not “claiming” anything, nor is it my place to perform additional tests, to either prove or disprove, the validity of the test that Dragon fails. I’m merely pointing out that every other browser, currently supporting Strict Transport security, passes.

The test that browserscope uses in its test is: https://www.pwdhash.com/browserscope/set-sts.php , which has a header of 'Strict-Transport-Security: max-age=5' set for that page.

Which clearly is irrelevant for every other browser passing the test.

This is an independent 3rd party who has created the test. It is wise that one raise issues with the test with those who created it (BrowserScope). If indeed it is Dragon that is the problem then those at 'BrowserScope' would be the ones to contact us. :P

I guess ‘passing the buck’ is one approach :stuck_out_tongue:

I’m really shocked to read this thread and the way Comodo reacts to it. This is definitely the WRONG attitude guys.

Take ownership and show that you care instead of sending users away with a “it is not our fault” reply. Clearly something is not right (if the test results are as quoted).

Very very weak Comodo, you can’t do better than this?

Just because I work for Comodo, doesn’t make me Comodo.

How do you know that ‘BrowserScope’ isn’t the one flawed here? They’re the ones that created the test, not Comodo. They have their own bug reporting system for a reason. If their system is broken, they need to know about it!

See this ‘Issue’ reported to the Chromium Devs for BrowserScope.

While I am not directly involved in the CD project, I did open a ticket with our developers and QA teams so that we may do our own investigation on HTTP Strict Transport Security inside Comodo Dragon.

I am rather surprised with this apparently complacent attitude. If you believe CD is failing the test through no fault of Comodo but because of a Browserscope bug do you not feel the need for Comodo also to contact them and find out why? If I worked for Comodo I certainly wouldn’t be happy.

Dragon doesn’t fail my tests for HSTS but rather BrowserScope’s own. It’s not the job of a random Comodo employee to file suspected bugs with other software that he/she did not find themselves nor was able to reproduce outside of BrowserScope’s test (a test I’ve never heard of until this thread). The job should lie with the user that first reported the possible issue.