diff options
| author | Sebastian Geerken <devnull@localhost> | 2015-07-06 22:37:37 +0200 |
|---|---|---|
| committer | Sebastian Geerken <devnull@localhost> | 2015-07-06 22:37:37 +0200 |
| commit | 9610fb52086c39ab10c2979c79a98079745137da (patch) | |
| tree | 5df4319a20b63cbb7e0872318532087475ebb221 /src | |
| parent | 9500f94781023d15783f4c8158c17c112135a221 (diff) | |
| parent | 78c910dc93d8772a0b1af7fc6ae3865e2efdfb3c (diff) | |
Merge with main repo.
Diffstat (limited to 'src')
| -rw-r--r-- | src/IO/about.c | 29 | ||||
| -rw-r--r-- | src/IO/tls.c | 240 | ||||
| -rw-r--r-- | src/IO/tls.h | 2 | ||||
| -rw-r--r-- | src/Makefile.am | 4 | ||||
| -rw-r--r-- | src/cache.c | 11 | ||||
| -rw-r--r-- | src/capi.c | 46 | ||||
| -rw-r--r-- | src/dialog.cc | 2 | ||||
| -rw-r--r-- | src/dillo.cc | 3 | ||||
| -rw-r--r-- | src/form.cc | 11 | ||||
| -rw-r--r-- | src/hsts.c | 364 | ||||
| -rw-r--r-- | src/hsts.h | 19 | ||||
| -rwxr-xr-x | src/hsts_preload | 2037 | ||||
| -rw-r--r-- | src/html.cc | 4 | ||||
| -rw-r--r-- | src/nav.c | 1 | ||||
| -rw-r--r-- | src/paths.hh | 1 | ||||
| -rw-r--r-- | src/prefs.c | 3 | ||||
| -rw-r--r-- | src/prefs.h | 1 | ||||
| -rw-r--r-- | src/prefsparser.cc | 2 | ||||
| -rw-r--r-- | src/url.c | 39 |
19 files changed, 2696 insertions, 123 deletions
diff --git a/src/IO/about.c b/src/IO/about.c index 1fe6485b..07dbbb01 100644 --- a/src/IO/about.c +++ b/src/IO/about.c @@ -270,23 +270,32 @@ const char *const AboutSplash= "<tr>\n" " <td bgcolor='#CCCCCC'>\n" " <h4>Release overview</h4>\n" -" December 24, 2014\n" +" June 30, 2015\n" "<tr>\n" " <td bgcolor='#FFFFFF'>\n" " <table border='0' cellspacing='0' cellpadding='5'>\n" " <tr>\n" " <td>\n" "<p>\n" -"The dillo-3.0.4.1 release brings you fixes:\n" +"Among the changes in dillo-3.0.5 are:\n" "<ul>\n" -"<li> for linking with the recently-released fltk-1.3.3\n" -" (we don't use <tt>fl_oldfocus</tt> anymore).\n" -"<li> to make sure that windows are resizable with fltk-1.3.3.\n" -"<li> not to load background images, or follow redirections or meta refresh,\n" -" in <tt>--local</tt> mode (security).\n" -"<li> to permit linking on OS X (remove our <tt>Fl_Printer</tt> stub).\n" -"<li> for a crash when searching from the address bar and no search urls are\n" -" found in dillorc.\n" +"<li>Image buffer/cache improvements.\n" +"<li>Fix for segfault when there's no dpid and view source is requested.\n" +"<li>Fix view-source dpi to handle null characters correctly.\n" +"<li>Made view-source dpi use CSS formatting (it's shorter and cleaner).\n" +"<li>Crosscompile/buildroot-friendly fltk-config test.\n" +"<li>Fix X11 icon name.\n" +"<li>In location bar, tend toward showing beginning of URL instead of end.\n" +"<li>Handle irix's version of vsnprintf().\n" +"<li>INPUT, TEXTAREA placeholder attribute.\n" +"<li>Better notification when user's domainrc settings block page\n" +" redirection.\n" +"<li>Fix bug with font_factor preference and CSS font-size:(larger|smaller).\n" +"<li>Recognize Menu key in keysrc.\n" +"<li>HTTPS: change cipher list to \"ALL:!aNULL:!eNULL:!LOW:!EXPORT40:!RC4\",\n" +" disable SSL3, disable TLS compression.\n" +"<li>Avoid requesting background images if an ancestor has display:none.\n" +"<li>Ignore built-in search url if any are specified in dillorc.\n" "</ul>\n" "<p>\n" "...that shouldn't have to wait until dillo-3.1 is ready with its floating\n" diff --git a/src/IO/tls.c b/src/IO/tls.c index f0f33215..3d14deef 100644 --- a/src/IO/tls.c +++ b/src/IO/tls.c @@ -21,7 +21,9 @@ * all respects for all of the code used other than OpenSSL or LibreSSL. */ -/* https://www.ssllabs.com/ssltest/viewMyClient.html */ +/* https://www.ssllabs.com/ssltest/viewMyClient.html + * https://github.com/lgarron/badssl.com + */ /* * Using TLS in Applications: http://datatracker.ietf.org/wg/uta/documents/ @@ -62,7 +64,7 @@ void a_Tls_init() #define CERT_STATUS_NONE 0 #define CERT_STATUS_RECEIVING 1 -#define CERT_STATUS_GOOD 2 +#define CERT_STATUS_CLEAN 2 #define CERT_STATUS_BAD 3 #define CERT_STATUS_USER_ACCEPTED 4 @@ -400,18 +402,129 @@ int a_Tls_connect_ready(const DilloUrl *url) return ret; } +static int Tls_cert_status(const DilloUrl *url) +{ + Server_t *s = dList_find_sorted(servers, url, Tls_servers_by_url_cmp); + + return s ? s->cert_status : CERT_STATUS_NONE; +} + /* * Did we find problems with the certificate, and did the user proceed to * reject the connection? */ static int Tls_user_said_no(const DilloUrl *url) { - Server_t *s = dList_find_sorted(servers, url, Tls_servers_by_url_cmp); + return Tls_cert_status(url) == CERT_STATUS_BAD; +} + +/* + * Did everything seem proper with the certificate -- no warnings to + * click through? + */ +int a_Tls_certificate_is_clean(const DilloUrl *url) +{ + return Tls_cert_status(url) == CERT_STATUS_CLEAN; +} + +/* + * We are both checking whether the certificates are using a strong enough + * hash algorithm and key as well as printing out certificate information the + * first time that we see it. Mixing these two actions together is generally + * not good practice, but feels justified by the fact that it's so much + * trouble to get this information out of openssl even once. + * + * Return FALSE if MD5 (MD*) hash is found and user does not accept it, + * otherwise TRUE. + */ +static bool_t Tls_check_cert_strength(SSL *ssl, Server_t *srv, int *choice) +{ + /* print for first connection to server */ + const bool_t print_chain = srv->cert_status == CERT_STATUS_RECEIVING; + bool_t success = TRUE; - if (!s) - return FALSE; + STACK_OF(X509) *sk = SSL_get_peer_cert_chain(ssl); - return s->cert_status == CERT_STATUS_BAD; + if (sk) { + const uint_t buflen = 4096; + char buf[buflen]; + int rc, i, n = sk_X509_num(sk); + X509 *cert = NULL; + EVP_PKEY *public_key; + int key_type, key_bits; + const char *type_str; + BIO *b; + + for (i = 0; i < n; i++) { + cert = sk_X509_value(sk, i); + public_key = X509_get_pubkey(cert); + + /* We are trying to find a way to get the hash function used + * with a certificate. This way, which is not very pleasant, puts + * a string such as "sha256WithRSAEncryption" in our buffer and we + * then trim off the "With..." part. + */ + b = BIO_new(BIO_s_mem()); + rc = i2a_ASN1_OBJECT(b, cert->sig_alg->algorithm); + + if (rc > 0) { + rc = BIO_gets(b, buf, buflen); + } + if (rc <= 0) { + strcpy(buf, "(unknown)"); + buf[buflen-1] = '\0'; + } else { + char *s = strstr(buf, "With"); + + if (s) { + *s = '\0'; + if (!strcmp(buf, "sha1")) { + if (print_chain) + MSG_WARN("In 2015, browsers have begun to deprecate SHA1 " + "certificates.\n"); + } else if (!strncmp(buf, "md", 2) && success == TRUE) { + const char *msg = "A certificate in the chain uses the MD5 " + "signature algorithm, which is too weak " + "to trust."; + *choice = a_Dialog_choice("Dillo TLS security warning", msg, + "Continue", "Cancel", NULL); + if (*choice != 1) + success = FALSE; + } + } + } + BIO_free(b); + + if (print_chain) + MSG("%s ", buf); + + key_type = EVP_PKEY_type(public_key->type); + type_str = key_type == EVP_PKEY_RSA ? "RSA" : + key_type == EVP_PKEY_DSA ? "DSA" : + key_type == EVP_PKEY_DH ? "DH" : + key_type == EVP_PKEY_EC ? "EC" : "???"; + key_bits = EVP_PKEY_bits(public_key); + X509_NAME_oneline(X509_get_subject_name(cert), buf, buflen); + buf[buflen-1] = '\0'; + if (print_chain) + MSG("%d-bit %s: %s\n", key_bits, type_str, buf); + EVP_PKEY_free(public_key); + + if (key_type == EVP_PKEY_RSA && key_bits <= 1024) { + if (print_chain) + MSG_WARN("In 2014/5, browsers have been deprecating 1024-bit " + "RSA keys.\n"); + } + } + + if (cert) { + X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen); + buf[buflen-1] = '\0'; + if (print_chain) + MSG("root: %s\n", buf); + } + } + return success; } /******************** BEGINNING OF STUFF DERIVED FROM wget-1.16.3 */ @@ -668,7 +781,7 @@ static void Tls_get_issuer_name(X509 *cert, char *buf, uint_t buflen) if (cert) { X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen); } else { - strncpy(buf, "(unknown)", buflen); + strcpy(buf, "(unknown)"); buf[buflen-1] = '\0'; } } @@ -683,7 +796,7 @@ static void Tls_get_expiration_str(X509 *cert, char *buf, uint_t buflen) rc = BIO_gets(b, buf, buflen); } if (rc <= 0) { - strncpy(buf, "(unknown)", buflen); + strcpy(buf, "(unknown)"); buf[buflen-1] = '\0'; } BIO_free(b); @@ -694,14 +807,14 @@ static void Tls_get_expiration_str(X509 *cert, char *buf, uint_t buflen) * to do. * Return: -1 if connection should be canceled, or 0 if it should continue. */ -static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host) +static int Tls_examine_certificate(SSL *ssl, Server_t *srv) { X509 *remote_cert; long st; const uint_t buflen = 4096; char buf[buflen], *cn, *msg; int choice = -1, ret = -1; - char *title = dStrconcat("Dillo TLS security warning: ", host, NULL); + char *title = dStrconcat("Dillo TLS security warning: ",srv->hostname,NULL); remote_cert = SSL_get_peer_certificate(ssl); if (remote_cert == NULL){ @@ -715,8 +828,8 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host) if (choice == 1){ ret = 0; } - - } else if (Tls_check_cert_hostname(remote_cert, host, &choice)) { + } else if (Tls_check_cert_strength(ssl, srv, &choice) && + Tls_check_cert_hostname(remote_cert, srv->hostname, &choice)) { /* Figure out if (and why) the remote system can't be trusted */ st = SSL_get_verify_result(ssl); switch (st) { @@ -752,11 +865,9 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host) case 2: break; case 3: - /* Save certificate to a file here and recheck the chain */ - /* Potential security problems because we are writing - * to the filesystem */ + /* Save certificate to a file */ Tls_save_certificate_home(remote_cert); - ret = 1; + ret = 0; break; default: break; @@ -889,13 +1000,17 @@ static int Tls_examine_certificate(SSL *ssl, Server_t *srv,const char *host) } dFree(title); - if (choice == 2) + if (choice == -1) { + srv->cert_status = CERT_STATUS_CLEAN; /* no warning popups */ + } else if (choice == 1) { + srv->cert_status = CERT_STATUS_USER_ACCEPTED; /* clicked Continue */ + } else { + /* 2 for Cancel, or 0 when window closed. Treating 0 as meaning 'No' is + * probably not exactly correct, but adding complexity to handle this + * obscure case does not seem justifiable. + */ srv->cert_status = CERT_STATUS_BAD; - else if (choice == -1) - srv->cert_status = CERT_STATUS_GOOD; - else - srv->cert_status = CERT_STATUS_USER_ACCEPTED; - + } return ret; } @@ -936,82 +1051,6 @@ static void Tls_close_by_key(int connkey) } } -static void Tls_print_cert_chain(SSL *ssl) -{ - STACK_OF(X509) *sk = SSL_get_peer_cert_chain(ssl); - - if (sk) { - const uint_t buflen = 4096; - char buf[buflen]; - int rc, i, n = sk_X509_num(sk); - X509 *cert = NULL; - EVP_PKEY *public_key; - int key_type, key_bits; - const char *type_str; - BIO *b; - - for (i = 0; i < n; i++) { - cert = sk_X509_value(sk, i); - public_key = X509_get_pubkey(cert); - - /* We are trying to find a way to get the hash function used - * with a certificate. This way, which is not very pleasant, puts - * a string such as "sha256WithRSAEncryption" in our buffer and we - * then trim off the "With..." part. - */ - b = BIO_new(BIO_s_mem()); - rc = i2a_ASN1_OBJECT(b, cert->sig_alg->algorithm); - - if (rc > 0) { - rc = BIO_gets(b, buf, buflen); - } - if (rc <= 0) { - strcpy(buf, "(unknown)"); - buf[buflen-1] = '\0'; - } else { - char *s = strstr(buf, "With"); - - if (s) { - *s = '\0'; - if (!strcmp(buf, "sha1")) { - MSG_WARN("In 2015, browsers have begun to deprecate SHA1 " - "certificates.\n"); - } else if (!strncmp(buf, "md", 2)) { - MSG_ERR("Browsers stopped accepting MD5 certificates around " - "2012.\n"); - } - } - } - BIO_free(b); - MSG("%s ", buf); - - - key_type = EVP_PKEY_type(public_key->type); - type_str = key_type == EVP_PKEY_RSA ? "RSA" : - key_type == EVP_PKEY_DSA ? "DSA" : - key_type == EVP_PKEY_DH ? "DH" : - key_type == EVP_PKEY_EC ? "EC" : "???"; - key_bits = EVP_PKEY_bits(public_key); - X509_NAME_oneline(X509_get_subject_name(cert), buf, buflen); - buf[buflen-1] = '\0'; - MSG("%d-bit %s: %s\n", key_bits, type_str, buf); - EVP_PKEY_free(public_key); - - if (key_type == EVP_PKEY_RSA && key_bits <= 1024) { - /* TODO: Gather warnings into one popup. */ - MSG_WARN("In 2014/5, browsers have been deprecating 1024-bit RSA " - "keys.\n"); - } - } - - if (cert) { - X509_NAME_oneline(X509_get_issuer_name(cert), buf, buflen); - buf[buflen-1] = '\0'; - MSG("root: %s\n", buf); - } - } -} - /* * Connect, set a callback if it's still not completed. If completed, check * the certificate and report back to http. @@ -1080,18 +1119,17 @@ static void Tls_connect(int fd, int connkey) Tls_servers_by_url_cmp); if (srv->cert_status == CERT_STATUS_RECEIVING) { - /* Making first connection with the server. Show some information. */ + /* Making first connection with the server. Show cipher used. */ SSL *ssl = conn->ssl; const char *version = SSL_get_version(ssl); const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); MSG("%s: %s, cipher %s\n", URL_AUTHORITY(conn->url), version, SSL_CIPHER_get_name(cipher)); - Tls_print_cert_chain(ssl); } if (srv->cert_status == CERT_STATUS_USER_ACCEPTED || - (Tls_examine_certificate(conn->ssl, srv, URL_HOST(conn->url))!=-1)) { + (Tls_examine_certificate(conn->ssl, srv) != -1)) { failed = FALSE; } } diff --git a/src/IO/tls.h b/src/IO/tls.h index e3892cb2..9bc89de5 100644 --- a/src/IO/tls.h +++ b/src/IO/tls.h @@ -15,6 +15,7 @@ void a_Tls_init(); #ifdef ENABLE_SSL +int a_Tls_certificate_is_clean(const DilloUrl *url); int a_Tls_connect_ready(const DilloUrl *url); void a_Tls_reset_server_state(const DilloUrl *url); @@ -30,6 +31,7 @@ int a_Tls_read(void *conn, void *buf, size_t len); int a_Tls_write(void *conn, void *buf, size_t len); #else +#define a_Tls_certificate_is_clean(host) 0 #define a_Tls_connect_ready(url) TLS_CONNECT_NEVER #define a_Tls_reset_server_state(url) ; #define a_Tls_handshake(fd, url) ; diff --git a/src/Makefile.am b/src/Makefile.am index 57a68148..425f8614 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -37,6 +37,8 @@ dillo_SOURCES = \ bw.c \ cookies.c \ cookies.h \ + hsts.c \ + hsts.h \ auth.c \ auth.h \ md5.c \ @@ -128,5 +130,5 @@ dillo_SOURCES = \ xembed.cc \ xembed.hh -dist_sysconf_DATA = domainrc keysrc +dist_sysconf_DATA = domainrc keysrc hsts_preload EXTRA_DIST = chg srch diff --git a/src/cache.c b/src/cache.c index d8f1a123..b082ef89 100644 --- a/src/cache.c +++ b/src/cache.c @@ -26,6 +26,7 @@ #include "dicache.h" #include "nav.h" #include "cookies.h" +#include "hsts.h" #include "misc.h" #include "capi.h" #include "decode.h" @@ -653,7 +654,7 @@ static void Cache_parse_header(CacheEntry_t *entry) { char *header = entry->Header->str; bool_t server1point0 = !strncmp(entry->Header->str, "HTTP/1.0", 8); - char *Length, *Type, *location_str, *encoding, *connection; + char *Length, *Type, *location_str, *encoding, *connection, *hsts; #ifndef DISABLE_COOKIES Dlist *Cookies; #endif @@ -721,6 +722,14 @@ static void Cache_parse_header(CacheEntry_t *entry) dFree(connection); } + if (prefs.http_strict_transport_security && + !dStrAsciiCasecmp(URL_SCHEME(entry->Url), "https") && + !a_Url_host_is_ip(URL_HOST(entry->Url)) && + (hsts = Cache_parse_field(header, "Strict-Transport-Security"))) { + a_Hsts_set(hsts, entry->Url); + dFree(hsts); + } + /* * Get Transfer-Encoding and initialize decoder */ @@ -340,6 +340,46 @@ static void Capi_dpi_send_source(BrowserWindow *bw, DilloUrl *url) } /* + * Shall we permit this request to open a URL? + */ +static bool_t Capi_request_permitted(DilloWeb *web) +{ + bool_t permit = FALSE; + + /* web->requester is NULL if the action is initiated by user */ + if (!web->requester) + return TRUE; + + if (web->flags & ~WEB_RootUrl && + !dStrAsciiCasecmp(URL_SCHEME(web->requester), "https")) { + const char *s = URL_SCHEME(web->url); + + /* As of 2015, blocking of "active" mixed content is widespread + * (style sheets, javascript, fonts, etc.), but the big browsers aren't + * quite in a position to block "passive" mixed content (images) yet. + * (Not clear whether there's consensus on which category to place + * background images in.) + * + * We are blocking both, and only permitting secure->insecure page + * redirection for now (e.g., duckduckgo has been seen providing links + * to https URLs that redirect to http). As the web security landscape + * evolves, we may be able to remove that permission. + */ + if (dStrAsciiCasecmp(s, "https") && dStrAsciiCasecmp(s, "data")) { + MSG("capi: Blocked mixed content: %s -> %s\n", + URL_STR(web->requester), URL_STR(web->url)); + return FALSE; + } + } + + if (a_Capi_get_flags(web->url) & CAPI_IsCached || + a_Domain_permit(web->requester, web->url)) { + permit = TRUE; + } + return permit; +} + +/* * Most used function for requesting a URL. * TODO: clean up the ad-hoc bindings with an API that allows dynamic * addition of new plugins. @@ -355,11 +395,7 @@ int a_Capi_open_url(DilloWeb *web, CA_Callback_t Call, void *CbData) const char *scheme = URL_SCHEME(web->url); int safe = 0, ret = 0, use_cache = 0; - /* web->requester is NULL if the action is initiated by user */ - if (a_Capi_get_flags(web->url) & CAPI_IsCached || - web->requester == NULL || - a_Domain_permit(web->requester, web->url)) { - + if (Capi_request_permitted(web)) { /* reload test */ reload = (!(a_Capi_get_flags(web->url) & CAPI_IsCached) || (URL_FLAGS(web->url) & URL_E2EQuery)); diff --git a/src/dialog.cc b/src/dialog.cc index 03949a1c..64f60e38 100644 --- a/src/dialog.cc +++ b/src/dialog.cc @@ -382,6 +382,8 @@ int a_Dialog_choice(const char *title, const char *msg, ...) va_end(ap); window->end(); + choice_answer = 0; + window->show(); while (window->shown()) Fl::wait(); diff --git a/src/dillo.cc b/src/dillo.cc index 62ff9685..c7ae62c2 100644 --- a/src/dillo.cc +++ b/src/dillo.cc @@ -51,6 +51,7 @@ #include "capi.h" #include "dicache.h" #include "cookies.h" +#include "hsts.h" #include "domain.h" #include "auth.h" #include "styleengine.hh" @@ -469,6 +470,7 @@ int main(int argc, char **argv) a_Dicache_init(); a_Bw_init(); a_Cookies_init(); + a_Hsts_init(Paths::getPrefsFP(PATHS_HSTS_PRELOAD)); a_Auth_init(); a_UIcmd_init(); StyleEngine::init(); @@ -582,6 +584,7 @@ int main(int argc, char **argv) */ a_Domain_freeall(); a_Cookies_freeall(); + a_Hsts_freeall(); a_Cache_freeall(); a_Dicache_freeall(); a_Http_freeall(); diff --git a/src/form.cc b/src/form.cc index 92ee3a42..8c966ff2 100644 --- a/src/form.cc +++ b/src/form.cc @@ -23,6 +23,7 @@ #include "msg.h" #include "prefs.h" #include "uicmd.hh" +#include "dialog.hh" using namespace lout; using namespace dw; @@ -1037,6 +1038,16 @@ void DilloHtmlForm::eventHandler(Resource *resource, EventButton *event) */ void DilloHtmlForm::submit(DilloHtmlInput *active_input, EventButton *event) { + if (!dStrAsciiCasecmp(URL_SCHEME(html->page_url), "https") && + dStrAsciiCasecmp(URL_SCHEME(action), "https")) { + int choice = a_Dialog_choice("Dillo: Insecure form submission", + "A form on a SECURE page wants to use an " + "INSECURE protocol to submit data.", + "Continue", "Cancel", NULL); + if (choice != 1) + return; + } + DilloUrl *url = buildQueryUrl(active_input); if (url) { if (event && event->button == 2) { diff --git a/src/hsts.c b/src/hsts.c new file mode 100644 index 00000000..ecbd9765 --- /dev/null +++ b/src/hsts.c @@ -0,0 +1,364 @@ +/* + * File: hsts.c + * HTTP Strict Transport Security + * + * Copyright 2015 corvid + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + */ + +/* To preload hosts, as of 2015, chromium is the list keeper: + * https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json + * although mozilla's is easier to work from (and they trim it based on + * criteria such as max-age must be at least some number of months) + * https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc?raw=1 + */ + +#include <time.h> +#include <errno.h> +#include <limits.h> /* for INT_MAX */ +#include <ctype.h> /* for isspace */ +#include <stdlib.h> /* for strtol */ + +#include "hsts.h" +#include "msg.h" +#include "../dlib/dlib.h" +#include "IO/tls.h" + +typedef struct { + char *host; + time_t expires_at; + bool_t subdomains; +} HstsData_t; + +/* When there is difficulty in representing future dates, use the (by far) + * most likely latest representable time of January 19, 2038. + */ +static time_t hsts_latest_representable_time; +static Dlist *domains; + +static void Hsts_free_policy(HstsData_t *p) +{ + dFree(p->host); + dFree(p); +} + +void a_Hsts_freeall() +{ + if (prefs.http_strict_transport_security) { + HstsData_t *policy; + int i, n = dList_length(domains); + + for (i = 0; i < n; i++) { + policy = dList_nth_data(domains, i); + Hsts_free_policy(policy); + } + dList_free(domains); + } +} + +/* + * Compare function for searching a domain node by domain string + */ +static int Domain_node_domain_str_cmp(const void *v1, const void *v2) +{ + const HstsData_t *node = v1; + const char *host = v2; + + return dStrAsciiCasecmp(node->host, host); +} + +static HstsData_t *Hsts_get_policy(const char *host) +{ + return dList_find_sorted(domains, host, Domain_node_domain_str_cmp); +} + +static void Hsts_remove_policy(HstsData_t *policy) +{ + if (policy) { + _MSG("HSTS: removed policy for %s\n", policy->host); + Hsts_free_policy(policy); + dList_remove(domains, policy); + } +} + +/* + * Return the time_t for a future time. + */ +static time_t Hsts_future_time(long seconds_from_now) +{ + time_t ret, now = time(NULL); + struct tm *tm = gmtime(&now); + + if (seconds_from_now > INT_MAX - tm->tm_sec) + tm->tm_sec = INT_MAX; + else + tm->tm_sec += seconds_from_now; + + ret = mktime(tm); + if (ret == (time_t) -1) + ret = hsts_latest_representable_time; + + return ret; +} + +/* + * Compare function for searching domains. + */ +static int Domain_node_cmp(const void *v1, const void *v2) +{ + const HstsData_t *node1 = v1, *node2 = v2; + + return dStrAsciiCasecmp(node1->host, node2->host); +} + +static void Hsts_set_policy(const char *host, long max_age, bool_t subdomains) +{ + time_t exp = Hsts_future_time(max_age); + HstsData_t *policy = Hsts_get_policy(host); + + _MSG("HSTS: %s %s%s: until %s", (policy ? "modify" : "add"), host, + (subdomains ? " and subdomains" : ""), ctime(&exp)); + + if (policy == NULL) { + policy = dNew0(HstsData_t, 1); + policy->host = dStrdup(host); + dList_insert_sorted(domains, policy, Domain_node_cmp); + } + policy->subdomains = subdomains; + policy->expires_at = exp; +} + +/* + * Read the next attribute. + */ +static char *Hsts_parse_attr(const char **header_str) +{ + const char *str; + uint_t len; + + while (dIsspace(**header_str)) + (*header_str)++; + + str = *header_str; + /* find '=' at end of attr, ';' after attr/val pair, '\0' end of string */ + len = strcspn(str, "=;"); + *header_str += len; + + while (len && (str[len - 1] == ' ' || str[len - 1] == '\t')) + len--; + return dStrndup(str, len); +} + +/* + * Get the value in *header_str. + */ +static char *Hsts_parse_value(const char **header_str) +{ + uint_t len; + const char *str; + + if (**header_str == '=') { + (*header_str)++; + while (dIsspace(**header_str)) + (*header_str)++; + + str = *header_str; + /* finds ';' after attr/val pair or '\0' at end of string */ + len = strcspn(str, ";"); + *header_str += len; + + while (len && (str[len - 1] == ' ' || str[len - 1] == '\t')) + len--; + } else { + str = *header_str; + len = 0; + } + return dStrndup(str, len); +} + +/* + * Advance past any value. + */ +static void Hsts_eat_value(const char **str) +{ + if (**str == '=') + *str += strcspn(*str, ";"); +} + +/* + * The reponse for this url had an HSTS header, so let's take action. + */ +void a_Hsts_set(const char *header, const DilloUrl *url) +{ + long max_age; + const char *host = URL_HOST(url); + bool_t max_age_valid = FALSE, subdomains = FALSE; + + _MSG("HSTS header for %s: %s\n", host, header); + + if (!a_Tls_certificate_is_clean(url)) { + /* RFC 6797 gives rationale in section 14.3. */ + _MSG("But there were certificate warnings, so ignore it (!)\n"); + return; + } + + /* Iterate until there is nothing left of the string */ + while (*header) { + char *attr; + char *value; + + /* Get attribute */ + attr = Hsts_parse_attr(&header); + + /* Get the value for the attribute and store it */ + if (dStrAsciiCasecmp(attr, "max-age") == 0) { + value = Hsts_parse_value(&header); + if (isdigit(*value)) { + errno = 0; + max_age = strtol(value, NULL, 10); + if (errno == ERANGE) + max_age = INT_MAX; + max_age_valid = TRUE; + } + dFree(value); + } else if (dStrAsciiCasecmp(attr, "includeSubDomains") == 0) { + subdomains = TRUE; + Hsts_eat_value(&header); + } else if (dStrAsciiCasecmp(attr, "preload") == 0) { + /* 'preload' is not part of the RFC, but what does google care for + * standards? They require that 'preload' be specified by a domain + * in order to be added to their preload list. + */ + } else { + MSG("HSTS: header contains unknown attribute: '%s'\n", attr); + Hsts_eat_value(&header); + } + + dFree(attr); + + if (*header == ';') + header++; + } + if (max_age_valid) { + if (max_age > 0) + Hsts_set_policy(host, max_age, subdomains); + else + Hsts_remove_policy(Hsts_get_policy(host)); + } +} + +static bool_t Hsts_expired(HstsData_t *policy) +{ + time_t now = time(NULL); + bool_t ret = (now > policy->expires_at) ? TRUE : FALSE; + + if (ret) { + _MSG("HSTS: expired\n"); + } + return ret; +} + +bool_t a_Hsts_require_https(const char *host) +{ + bool_t ret = FALSE; + + if (host) { + HstsData_t *policy = Hsts_get_policy(host); + + if (policy) { + _MSG("HSTS: matched host %s\n", host); + if (Hsts_expired(policy)) + Hsts_remove_policy(policy); + else + ret = TRUE; + } + if (!ret) { + const char *domain_str; + + for (domain_str = strchr(host+1, '.'); + domain_str != NULL && *domain_str; + domain_str = strchr(domain_str+1, '.')) { + policy = Hsts_get_policy(domain_str+1); + + if (policy && policy->subdomains) { + _MSG("HSTS: matched %s under %s subdomain rule\n", host, + policy->host); + if (Hsts_expired(policy)) { + Hsts_remove_policy(policy); + } else { + ret = TRUE; + break; + } + } + } + } + } + return ret; +} + +static void Hsts_preload(FILE *stream) +{ + const int LINE_MAXLEN = 4096; + const long ONE_YEAR = 60 * 60 * 24 * 365; + + char *rc, *subdomains; + char line[LINE_MAXLEN]; + char domain[LINE_MAXLEN]; + + /* Get all lines in the file */ + while (!feof(stream)) { + line[0] = '\0'; + rc = fgets(line, LINE_MAXLEN, stream); + if (!rc && ferror(stream)) { + MSG_WARN("HSTS: Error while reading preload entries: %s\n", + dStrerror(errno)); + return; /* bail out */ + } + + /* Remove leading and trailing whitespace */ + dStrstrip(line); + + if (line[0] != '\0' && line[0] != '#') { + int i = 0, j = 0; + + /* Get the domain */ + while (line[i] != '\0' && !dIsspace(line[i])) + domain[j++] = line[i++]; + domain[j] = '\0'; + + /* Skip past whitespace */ + while (dIsspace(line[i])) + i++; + + subdomains = line + i; + + if (dStrAsciiCasecmp(subdomains, "true") == 0) + Hsts_set_policy(domain, ONE_YEAR, TRUE); + else if (dStrAsciiCasecmp(subdomains, "false") == 0) + Hsts_set_policy(domain, ONE_YEAR, FALSE); + else { + MSG_WARN("HSTS: format of line not recognized. Ignoring '%s'.\n", + line); + } + } + } +} + +void a_Hsts_init(FILE *preload_file) +{ + if (prefs.http_strict_transport_security) { + struct tm future_tm = {7, 14, 3, 19, 0, 138, 0, 0, 0, 0, 0}; + + hsts_latest_representable_time = mktime(&future_tm); + domains = dList_new(32); + + if (preload_file) + Hsts_preload(preload_file); + } +} + diff --git a/src/hsts.h b/src/hsts.h new file mode 100644 index 00000000..693aec10 --- /dev/null +++ b/src/hsts.h @@ -0,0 +1,19 @@ +#ifndef __HSTS_H__ +#define __HSTS_H__ + +#include "d_size.h" +#include "url.h" + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +void a_Hsts_init(FILE *fp); +void a_Hsts_set(const char *header, const DilloUrl *url); +bool_t a_Hsts_require_https(const char *host); +void a_Hsts_freeall( void ); + +#ifdef __cplusplus +} +#endif /* __cplusplus */ +#endif /* !__HSTS_H__ */ diff --git a/src/hsts_preload b/src/hsts_preload new file mode 100755 index 00000000..22e3aa3c --- /dev/null +++ b/src/hsts_preload @@ -0,0 +1,2037 @@ +# This HTTP Strict Transport Security preload file was created on 2015-06-28 +# from the list in +# https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc +# Format: domain include_subdomains + +007sascha.de true +0x0a.net true +1000minds.com true +17hats.com true +188trafalgar.ca true +18f.gsa.gov true +1a-diamantscheiben.de true +1a-jva.de true +1a-vermessung.at true +1a-werkstattgeraete.de true +2048game.co.uk true +2600hq.com true +301.website true +302.nyc true +314chan.org true +3do3dont.com true +47ronin.com false +4g-server.eu true +4sqsu.eu true +5apps.com false +7183.org true +8ack.de true +9point6.com true +abecodes.net false +abiapp.net true +abmahnhelfer.de true +accounts.firefox.com true +accounts.google.com true +aclu.org false +acuica.co.uk false +acus.gov true +adambyers.com true +adamkostecki.de true +adamstas.com true +addvocate.com true +adlershop.ch true +admin.fedoraproject.org true +admin.google.com true +admin.stg.fedoraproject.org true +adorai.tk true +adsfund.org true +advanced-online.eu true +aerolog.co true +aes256.ru true +aeyoun.com true +afp548.com true +afrodigital.uk true +agrios.de true +ahoyconference.com true +ahwatukeefoothillsmontessori.com true +aids.gov true +aie.de true +aircomms.com true +airlea.com true +aiticon.com true +ajouin.com true +akachanikuji.com true +akselinurmio.fi true +al-shami.net true +aladdinschools.appspot.com true +alainwolf.net true +alaninkenya.org true +alanrickmanflipstable.com true +alecvannoten.be true +alethearose.com true +alexgaynor.net true +alexsexton.com true +alexyang.me true +allinonecyprus.com true +alza.cz true +alza.de true +alza.sk true +alzashop.com true +amaforums.org false +amdouglas.uk true +anadoluefessk.org true +anadoluefessporkulubu.org true +anakros.me true +andere-gedanken.net true +andreasbreitenlohner.de true +andrewimeson.com true +andymartin.cc true +anetaben.nl true +angularjs.org true +anime.my false +animurecs.com true +ankakaak.com true +ankarakart.com.tr true +annahmeschluss.de true +annevankesteren.com true +annevankesteren.nl true +annevankesteren.org true +anonym-surfen.de true +ansdell.net true +antipolygraph.org true +antoniomarques.eu true +anycoin.me true +apachehaus.de false +apadvantage.com true +api.intercom.io false +api.lookout.com false +api.simple.com false +api.xero.com false +apis.google.com true +apn-einstellungen.de true +aponow.de true +app.lookout.com false +app.manilla.com true +app.recurly.com true +app.simpletax.ca false +app.yinxiang.com false +appengine.google.com true +apple-watch-zubehoer.de true +apps-for-fishing.com true +apps.facebook.com false +apps.fedoraproject.org true +apps.stg.fedoraproject.org true +aprz.de true +aranycsillag.net true +arbitrary.ch true +archlinux.de true +areafiftylan.nl true +arendburgers.nl true +arguggi.co.uk true +arivo.com.br true +arlen.io true +armytricka.cz true +aroonchande.com true +arteseideias.com.pt true +arty.name true +ask.fedoraproject.org true +ask.stg.fedoraproject.org true +atc.io true +athenelive.com true +atishchenko.com true +atlantischild.hu true +atlassian.net true +atte.fi true +auf-feindgebiet.de true +aurainfosec.com true +aurainfosec.com.au true +auraredeye.com true +auraredshield.com true +authentication.io true +autoledky.sk true +axka.com false +azirevpn.com true +badges.fedoraproject.org true +badges.stg.fedoraproject.org true +baer.im true +baff.lu true +bagelsbakery.com true +balcan-underground.net true +balikonos.cz true +bank.simple.com false +bardiharborow.com true +barslecht.com true +barslecht.nl true +baruch.me true +bassh.net true +bautied.de true +bayrisch-fuer-anfaenger.de true +bccx.com true +bcrook.com false +beach-inspector.com true +beamitapp.com true +beastowner.com true +beastowner.li true +bedeta.de true +bedreid.dk true +beercandle.com true +ben-energy.com true +benchling.com true +beneathvt.com true +benjamin.pe true +benjamins.com true +bentertain.de true +best-wedding-quotes.com true +bfelob.gov true +bgneuesheim.de true +bhatia.at true +biathloncup.ru true +biddl.com true +big-andy.co.uk true +bigbrownpromotions.com.au true +bigdinosaur.org true +billigssl.dk true +bit-sentinel.com true +bit.voyage true +bitbucket.org false +bitchan.it true +bitcoin.de true +bitcoinx.ro true +bitfactory.ws true +bitmex.com true +bitmon.net true +bitnet.io true +bitpod.de true +bjornjohansen.no true +bl4ckb0x.com true +bl4ckb0x.de true +bl4ckb0x.info true +bl4ckb0x.net true +bl4ckb0x.org true +blablacar.co.uk true +blablacar.com true +blablacar.com.tr true +blablacar.com.ua true +blablacar.de true +blablacar.es true +blablacar.fr true +blablacar.hr true +blablacar.hu true +blablacar.in true +blablacar.it true +blablacar.mx true +blablacar.nl true +blablacar.pl true +blablacar.pt true +blablacar.ro true +blablacar.rs true +blablacar.ru true +blackberrycentral.com true +blessnet.jp true +blockchain.info true +blocksatz-medien.de true +bloemendal.me true +blog.cyveillance.com true +blog.gparent.org true +blog.linode.com false +blog.torproject.org false +blubbablasen.de true +bodo-wolff.de false +bohramt.de true +boiseonlinemall.com true +bonitabrazilian.co.nz true +bookingapp.nl true +bownty.dk true +boxcryptor.com true +boypoint.de true +bradkovach.com true +brage.info false +braineet.com true +brainfork.ml true +braintreegateway.com true +brakemanpro.com true +bran.cc true +branchtrack.com false +brandbuilderwebsites.com true +breeswish.org true +brks.xyz true +broeselei.at true +brossmanit.com true +brunosouza.org true +buddhistische-weisheiten.org true +bugzil.la true +bugzilla.mozilla.org true +buiko.com true +buildkite.com true +bulktrade.de true +bundaberg.com true +burtrum.org true +business.facebook.com false +business.lookout.com false +businesshosting.nl true +bustimes.org true +buzzconcert.com true +bygningsregistrering.dk true +bysymphony.com true +bytepark.de false +bzv-fr.eu true +ca.gparent.org true +cackette.com true +call.me true +calomel.org true +calories.org true +calvin.me true +camolist.com true +canhazip.com true +cao.gov true +capitaltg.com true +cardoni.net true +caremad.io true +carezone.com false +carlosalves.info true +cartouche24.eu true +cartucce24.it true +casa-su.casa true +catnapstudios.com true +cbhq.net true +cdlcenter.com true +cdnb.co true +cdt.org true +certible.com true +certly.io true +cfo.gov true +chahub.com true +chainmonitor.com true +chartstoffarm.de false +chatbot.me true +check.torproject.org false +checkout.google.com true +cheesetart.my false +chrisirwin.ca true +chrisjean.com true +chrome-devtools-frontend.appspot.com true +chrome.com false +chrome.google.com true +chromiumcodereview.appspot.com false +chroniclesofgeorge.com true +chulado.com true +cio.gov true +cklie.de true +ckliemann.com true +ckliemann.net true +cktennis.com true +clan-ww.com true +clapping-rhymes.com true +classdojo.com true +clerkendweller.uk true +clevisto.com true +climateinteractive.org true +clintwilson.technology true +cloud.google.com true +cloudcert.org true +cloudns.com.au true +cloudpebble.net true +cloudsecurityalliance.org true +cloudstoragemaus.com true +cloudup.com true +code-poets.co.uk true +code.facebook.com false +code.google.com true +codepoints.net true +codepref.com true +codepx.com true +codereview.appspot.com false +codereview.chromium.org true +coinapult.com true +coinbase.com true +coindam.com false +collinmbarrett.com true +coloradocomputernetworking.net true +comdurav.com true +commencepayments.com true +completionist.audio true +comssa.org.au true +config.schokokeks.org false +conformal.com true +conrad-kostecki.de true +console.support true +consumersentinel.gov true +contributor.google.com true +controlcenter.gigahost.dk true +cor-ser.es true +cordial-restaurant.com true +costablancavoorjou.com true +cotonea.de true +courtlistener.com true +covenantoftheriver.org true +covoiturage.fr true +cpvmatch.eu true +cracker.in.th true +crm.onlime.ch false +crowdjuris.com true +crute.me true +crypto.cat false +crypto.graphics true +cryptobin.org true +cryptography.io true +cryptopartyatx.org true +cryptopush.com true +csacongress.org true +cspbuilder.info true +csuw.net true +cube.de true +cupcake.io true +cupcake.is true +curiosity-driven.org true +curlybracket.co.uk true +curtacircuitos.com.br false +cyanogenmod.xxx true +cybershambles.com true +cybozu.com true +cybozulive.com true +cycleluxembourg.lu true +cyon.ch true +cyphertite.com true +cyprus-company-service.com true +czakey.net true +czbix.com true +czk.mk true +d42.no true +daknob.net true +danielalvarez.net true +danonsecurity.com true +danskoferie.dk true +danw.io true +daphne.informatik.uni-freiburg.de true +darchoods.net false +darkengine.io true +darknode.in true +darkpony.ru true +darkserver.fedoraproject.org true +darkserver.stg.fedoraproject.org true +darlo.co.uk true +darom.jp true +dash-board.jp false +data-abundance.com true +data.qld.gov.au false +datasnitch.co.uk true +datenkeks.de true +daveoc64.co.uk true +davidlyness.com true +davidmcevoy.org.uk true +davidnoren.com true +daylightpirates.org true +dbgamestudio.com true +dccode.gov true +deadbeef.ninja true +dealcruiser.nl true +debtkit.co.uk true +dedimax.de true +dee.pe true +defcon.org true +dekasan.ru true +deliverance.co.uk false +denh.am true +depechemode-live.com true +derevtsov.com false +derhil.de true +desmaakvanplanten.be true +detectify.com false +developer.mydigipass.com false +developers.facebook.com false +devinfo.net false +devklog.net true +diamante.ro true +die-besten-weisheiten.de true +digital1st.co.uk true +dillonkorman.com true +dinamoelektrik.com true +disking.co.uk true +dist.torproject.org false +dixmag.com false +dl.google.com true +dlc.viasinc.com true +dm.lookout.com false +dm.mylookout.com false +dn42.us true +dnmlab.it true +dnsman.se true +doc.python.org true +docs.google.com true +docs.python.org true +dohosting.ru true +domainkauf.de true +domains.google.com true +donmez.uk true +donmez.ws true +donotcall.gov true +doridian.com true +doridian.de true +doridian.net true +doridian.org true +dpsg-roden.de true +dragons-of-highlands.cz true +dreadbyte.com true +dreamsforabetterworld.com.au true +drive.google.com true +dropbox.com true +dropboxer.net true +drtroyhendrickson.com true +drumbandesperanto.nl true +dubrovskiy.net true +ducohosting.com true +dyeager.org true +dylanscott.com.au true +dynaloop.net true +dzlibs.io true +e-kontakti.fi true +e.mail.ru true +earmarks.gov true +easysimplecrm.com false +eatsleeprepeat.net true +ebanking.indovinabank.com.vn true +ecake.in true +ecdn.cz true +ecfs.link true +ecg.fr false +ecosystem.atlassian.net true +ectora.com true +ed.gs true +edge-cloud.net true +edit.yahoo.com false +edix.ru true +eduid.se true +eduroam.no true +edyou.eu true +ef.gy true +eff.org true +egfl.org.uk true +egit.co true +ego4u.com true +ego4u.de true +eksisozluk.com true +electronic-ignition-system.com true +ellegaard.dk true +elliquiy.com true +emailprivacytester.com true +emptypath.com true +encircleapp.com true +encryptallthethings.net true +encrypted.google.com true +energy-drink-magazin.de true +enigmail.net true +enorekcah.com true +enskat.de true +enskatson-sippe.de true +entropia.de false +erisrenee.com true +eromixx.com true +erotische-aanbiedingen.nl true +errors.zenpayroll.com false +eru.me true +esoa.net true +espra.com true +ethack.org true +ethercalc.com true +ethercalc.org true +ethitter.com true +etoprekrasno.ru true +eurotramp.com true +eva.cz true +evalesc.com true +everhome.de true +eveshamglass.co.uk true +evstatus.com true +exiahost.com false +exon.io true +expatads.com true +explodie.org true +expoundite.net true +extendwings.com true +ezequiel-garzon.com true +ezequiel-garzon.net true +f-droid.org true +f2f.cash true +fa-works.com true +fabhub.io true +facebook.com false +factor.cc false +fairbill.com true +fakturoid.cz true +falconvintners.com true +fangs.ink true +fant.dk true +faq.lookout.com false +fassadenverkleidung24.de true +fastcomcorp.net true +fatherhood.gov true +faucetbox.com true +federalregister.gov true +fedorahosted.org true +fedorapeople.org true +feedbin.com false +feedthebot.com true +feen.us true +feminists.co true +ferienhaus-polchow-ruegen.de false +fewo-thueringer-wald.de true +ffbans.org true +fidelapp.com true +fiftyshadesofluca.ml true +fiken.no true +filedir.com false +filip-prochazka.com true +finn.io false +firebaseio-demo.com true +firebaseio.com true +firebirdrangecookers.com true +firefart.at true +firemail.io true +firma-offshore.com true +firstlook.org true +fischer-its.com true +fish-hook.ru true +fitkram.cz true +fj.simple.com false +flagspot.net true +flamer-scene.com true +fleximus.org false +floobits.com true +florian-lillpopp.de true +florianlillpopp.de true +florianmitrea.uk true +floweslawncare.com true +flushstudios.com true +fluxfingers.net true +flynn.io true +fniephaus.com true +food4health.guide true +foodwise.marketing true +forewordreviews.com true +forgix.com true +forodeespanol.com true +forum.linode.com false +forum.quantifiedself.com true +foxelbox.com true +fralef.me false +frederik-braun.com true +freenetproject.org true +freeshell.de true +freesounding.com true +freesounding.ru true +freethought.org.au true +fretscha.com true +froggstack.de true +fronteers.nl true +fruchthof24.de true +frusky.de false +frusky.net true +ftccomplaintassistant.gov true +fteproxy.org true +fundingempire.com true +futos.de true +fuzzing-project.org true +fx5.de true +g2g.com true +gallery44.org true +gambit.pro true +gambitnash.co.uk true +gambitnash.com true +gambitprint.com true +gamercredo.com true +gamercredo.net true +gameserver-sponsor.de true +garron.net true +gavick.com true +gaytorrent.ru true +gc.net true +ge3k.net true +gemeinfreie-lieder.de true +genuxation.com true +genuxtsg.com true +geoip.fedoraproject.org true +geoip.stg.fedoraproject.org true +gerardozamudio.mx true +gernert-server.de true +get.zenpayroll.com false +getable.com true +getbambu.com false +getcloak.com false +getcolor.com true +getdigitized.net true +getfedora.org true +getfittedstore.com true +getmango.com true +getnikola.com true +getsello.com true +getssl.uz true +gheorghesarcov.ga true +giacomopelagatti.it true +github.com true +github.party false +gizzo.sk true +glass.google.com true +globalittech.com false +globuli-info.de true +glossopnorthendafc.co.uk true +gmail.com false +gmantra.org true +gmcd.co true +gnetwork.eu true +go-zh.org true +go.xero.com false +gocardless.com true +gokmenguresci.com true +goldendata.io true +golfscape.com false +google true +googlemail.com false +googleplex.com true +gopay.cz true +goshop.cz true +gothamlimo.com true +goto.google.com true +gotspot.com true +gplintegratedit.com true +gpsfix.cz true +gra2.com true +grandcapital.id true +grandcapital.ru true +grc.com false +greensolid.biz true +gregorytlee.me true +grepular.com true +grigalanzsoftware.com true +grimm-gastrobedarf.de true +grocock.me.uk true +groetzner.net true +groszek.pl true +groups.google.com true +gtraxapp.com true +gudini.net true +gugga.dk false +guidetoiceland.is true +gunnarhafdal.com true +guphi.net true +guru-naradi.cz true +gurusupe.com true +guthabenkarten-billiger.de true +gvt2.com true +gvt3.com true +gw2treasures.com true +gwijaya.com true +h2check.org true +haber1903.com true +hachre.de false +hack.li true +hackerone-user-content.com true +hackerone.com true +haircrazy.com true +hangouts.google.com true +hansvaneijsden.com true +happylifestyle.com true +happyteamlabs.com true +harvestapp.com true +hash-list.com true +hasilocke.de true +haste.ch true +haufschild.de true +hausverbrauch.de true +haveibeenpwned.com true +hboeck.de true +healthcare.gov false +heartlandrentals.com true +heavystresser.com true +heftkaufen.de true +heha.co false +heid.ws true +heijblok.com true +helichat.de true +help.simpletax.ca false +helpadmin.net true +helpium.de true +hemlockhillscabinrentals.com true +henriknoerr.com true +heppler.net true +herbert.io true +herocentral.de true +herzbotschaft.de true +heute-kaufen.de true +hex2013.com true +hexony.com true +hg.python.org true +hicn.gq true +hicoria.com true +history.google.com false +hiv.gov true +hledejpravnika.cz true +hobbyspeed.com true +holymoly.lu true +honeybadger.io false +horza.org true +hostedtalkgadget.google.com true +hostinginnederland.nl true +hostix.de true +howrandom.org true +howsmyssl.com true +howsmytls.com true +hozana.si true +hpac-portal.com true +hrackydomino.cz true +hs-group.net true +hsmr.cc true +hsr.gov true +hstsfail.appspot.com true +html5.org true +httpswatch.com true +hushfile.it true +i10z.com true +i5y.co.uk true +iamcarrico.com true +ian.sh true +iban.is true +id-co.in true +id-conf.com true +id.atlassian.com true +id.mayfirst.org false +ideaweb.de true +ieval.ro true +ihrlotto.de true +ijohan.nl true +ikkatsu-satei.jp true +ilbuongiorno.it true +ilikerainbows.co true +ilikerainbows.co.uk false +imaginary.ca true +imagr.io true +imgg.es true +imouto.my false +impex.com.bd true +in.xero.com false +inb4.us true +inbox.google.com true +indiecert.net true +indovinabank.com.vn true +influxus.com true +infogrfx.com true +informnapalm.org true +iniiter.com true +initrd.net true +inkbunny.net true +inleaked.com true +innophate-security.com true +innophate-security.nl true +insighti.org true +insouciant.org true +instasex.ch true +integromat.com true +interasistmen.se true +interserved.com true +iostips.ru true +ipomue.com false +ipsec.pl true +iqualtech.com true +iranianlawschool.com true +iridiumbrowser.de true +irische-segenswuensche.info true +irmag.ru true +ironfistdesign.com true +isimonbrown.co.uk true +isitchristmas.com true +isogram.nl true +it-schwerin.de true +itdashboard.gov true +itriskltd.com true +itsamurai.ru true +itshost.ru true +ix8.ru true +izdiwho.com true +j-lsolutions.com true +jackyyf.com false +jacobparry.ca false +jacuzziprozone.com true +jahliveradio.com false +jakub-boucek.cz true +jamesbywater.co.uk true +jamesbywater.com true +jamesbywater.me true +jamesbywater.uk true +jamielinux.com true +janoberst.com true +jbn.mx true +jelmer.co.uk true +jelmer.uk true +jeremyness.com true +jetaprices.com true +jettshome.org true +jfreitag.de true +jh-media.eu false +jimshaver.net true +jira.com true +jitsi.org false +jkb.pics true +jkbuster.com true +jmdekker.it true +jmedved.com true +jogorama.com.br true +johannes.io true +johners.me true +johnmichel.org true +jonas-keidel.de true +jonaswitmer.ch true +jonathan.ir true +jondevin.com true +jonnybarnes.uk true +jonpads.com true +jpbike.cz true +jrc9.ca true +julianmeyer.de true +juliansimioni.com true +jwilsson.com true +jwilsson.me true +jwnotifier.org true +k-dev.de true +kaheim.de true +kalevlamps.co.uk true +kalmar.com true +kaneo-gmbh.de true +kanzashi.com true +karaoketonight.com true +kardize24.pl true +karmaspa.se true +kartonmodellbau.org true +kaufberatung.community true +kavovary-kava.cz true +kdex.de true +kdyby.org true +kedarastudios.com true +keeleysam.com true +keeleysam.me true +keepa.com true +keepclean.me true +keeperapp.com true +keepersecurity.com true +kernel-error.de true +kevincox.ca true +keybase.io true +keycdn.com true +keycom.co.uk true +keyerror.com true +khanovaskola.cz true +khipu.com true +khmath.com true +ki-on.net true +kinderbuecher-kostenlos.de true +kinganywhere.eu true +kingmanhall.org true +kinogb.net false +kinsights.com false +kintone.com true +kirei.se true +kissflow.com true +kitsta.com true +klarmobil-empfehlen.de true +klatschreime.de true +klausbrinch.dk true +klaxn.com true +kleidertauschpartys.de true +kliemann.me true +klingeletest.de true +knip.ch true +knowledgehook.com true +koen.io true +koenrouwhorst.nl true +koenvdheuvel.me true +kojipkgs.fedoraproject.org true +kollawat.me true +komandakovalchuk.com false +konklone.com true +koop-bremen.de true +koordinate.net true +korinar.com true +kosho.org true +kpdyer.com true +kpebetka.net true +kraken.io true +kredite.sale true +kredite24.de true +ks-watch.de true +kuppingercole.com true +kupschke.net true +kura.io true +labaia.info true +laf.in.net true +lagerauftrag.info true +lancejames.com true +lapetition.be true +lasst-uns-beten.de true +lastpass.com false +laukstein.com true +launchkey.com true +lavalite.de true +lavval.com true +lb-toner.de true +leadbook.ru true +leakedminecraft.net true +leanclub.org true +ledhouse.sk true +legoutdesplantes.be true +leibniz-remscheid.de true +leifdreizler.com true +lellyboi.ml true +lence.net true +leninalbertop.com.ve true +leonardcamacho.me true +leonax.net true +leonklingele.de true +les-corsaires.net true +libfte.org true +libraryfreedomproject.org true +lichtspot.de true +liebel.org true +light.mail.ru true +lighting-centres.co.uk true +lillpopp.eu true +lilpwny.com true +limitededitioncomputers.com true +limitededitionsolutions.com true +limpid.nl true +lingolia.com true +linode.com false +linorman1997.me true +linux-admin-california.com true +linx.li true +linx.net true +lists.mayfirst.org false +lists.stg.fedoraproject.org true +livej.am true +livekaarten.nl true +ljs.io true +lloyd-day.me true +lmmtfy.io true +lnx.li true +lobste.rs true +lockify.com true +lodash.com true +loenshotel.de true +loftboard.eu true +logentries.com false +login.corp.google.com true +login.launchpad.net true +login.persona.org true +login.sapo.pt true +login.ubuntu.com true +login.xero.com false +login.yahoo.com false +lolicore.ch true +lookout.com false +lookyman.net true +lookzook.com true +lore.azurewebsites.net true +ludwig.im true +luelistan.net true +lumi.do false +luneta.nearbuysystems.com false +luxwatch.com true +lymia.moe true +lyst.co.uk true +m.facebook.com false +m.mail.ru true +m0wef.uk true +maartenvandekamp.nl true +mach-politik.ch true +madars.org true +madeitwor.se true +mafamane.com true +maff.scot false +magneticanvil.com true +mahamed91.pw true +mail-settings.google.com true +mail.de true +mail.google.com true +mail.yahoo.com false +mailbox.org true +mailmag.net true +makeitdynamic.com true +makeyourlaws.org true +mall.cz true +mall.hu true +mall.pl true +mall.sk true +malnex.de true +malwre.io true +mammaw.com true +man3s.jp true +manage.zenpayroll.com false +manageprojects.com true +manager.linode.com false +mandala-ausmalbilder.de true +manicode.com true +markayapilandirma.com true +market.android.com true +markhaehnel.de true +markusueberallassetmanagement.de true +marshut.net true +massivum.de false +masters.black true +matatall.com false +mathiasbynens.be true +matteomarescotti.it true +mattfin.ch true +mattmccutchen.net true +mattsvensson.com true +max.gov true +maximelouet.me true +mbasic.facebook.com false +mbp.banking.co.at false +mcard.vn true +mccrypto.de true +mcnext.net true +md5file.com true +mdfnet.se false +me.net.nz true +meamod.com true +mebio.us true +medallia.io true +mediacru.sh true +medium.com true +medovea.ru true +medtehnika.ua true +meetfinch.com true +meetings2.com true +mega.co.nz true +megaplan.cz true +megaplan.ru true +mehmetince.net true +meinebo.it true +members.mayfirst.org false +members.nearlyfreespeech.net false +mercuryamericas.com true +meritz.rocks true +mertcangokgoz.com true +metrobriefs.com true +mevs.cz true +mh-bloemen.co.jp true +miasarafina.de true +michalspacek.cz true +miconcinemas.com true +mig5.net true +mijn-email.org true +mike-bland.com true +miketabor.com true +mikewest.org true +miku.hatsune.my false +mim.properties true +mimeit.de true +mimovrste.com true +mindcoding.ro true +mindoktor.se true +minecraftvoter.com true +mineover.es true +minez-nightswatch.com false +minikneet.com true +minnesotadata.com true +mironet.cz true +miskatonic.org true +miss-inventory.co.uk true +mister.hosting true +mitell.jp false +mittenhacks.com true +mjanja.ch true +mkcert.org true +mkw.st true +mnsure.org true +mobilcom-debitel-empfehlen.de true +mobile.usaa.com false +mobilux.lv true +mobobe.com true +modeldimension.com true +mokote.com true +mondwandler.de true +morethanadream.lv true +moriz.de true +moriz.net true +mothereff.in true +mountainmusicpromotions.com true +mountainroseherbs.com true +movlib.org true +mp3juices.is true +mpreserver.com true +mqas.net true +mr-hosting.com true +msa-aesch.ch true +msc-seereisen.net true +mtau.com true +mthode.org true +mths.be true +mtouch.facebook.com false +mudcrab.us true +mujadin.se true +multigamecard.com true +munich-rage.de true +munki.org true +munuc.org true +musi.cx true +musicgamegalaxy.de true +musmann.io true +mustika.cf true +mutamatic.com true +mutantmonkey.in true +mutantmonkey.info true +mutantmonkey.sexy true +mvno.io true +mvsecurity.nl true +mwe.st false +my.onlime.ch false +my.xero.com false +myaccount.google.com true +mygadgetguardian.lookout.com false +mygretchen.de true +mykontool.de true +mylookout.com false +myni.io true +mynigma.org true +myplaceonline.com true +myprintcard.de true +myvirtualserver.com true +nachsendeauftrag.net true +nachsenden.info true +naiharngym.com true +nameid.org true +namepros.com true +nan.zone true +nanderson.me true +narodniki.com true +nationalpriorities.org true +nayahe.ru true +nbl.org.tw true +nctx.co.uk true +ndarville.com true +nectarleaf.com true +neg9.org false +neilwynne.com false +neko.li true +nella-project.org true +nellacms.com true +nellacms.org true +nellafw.org true +nerven.se true +net-safe.info true +netbox.cc true +netera.se true +netrelay.email true +netrider.net.au true +newstarnootropics.com true +nextend.net true +ng-security.com true +nginxnudes.com true +nicolaw.uk true +nieselregen.com true +niloxy.com true +nmctest.net true +nmd.so true +nodari.com.ar true +noemax.com true +noob-box.net true +nopex.no true +northernmuscle.ca true +nos-oignons.net true +nostraforma.com false +notalone.gov true +nouvelle-vague-saint-cast.fr true +novacoast.com true +nowhere.dk true +npw.net true +nsboutique.com true +nu3.at true +nu3.ch true +nu3.co.uk true +nu3.com true +nu3.de true +nu3.dk true +nu3.fi true +nu3.fr true +nu3.no true +nu3.se true +null.tips true +nutsandboltsmedia.com true +nuvini.com true +nwa.xyz true +nwgh.org true +nymphetomania.net true +oakslighting.co.uk true +ocrami.us true +offshore-firma.org true +oguya.ch true +ohling.org true +ohnemusik.com true +okmx.de true +olivierlemoal.fr true +omitech.co.uk true +onedot.nl true +onedrive.com true +onedrive.live.com false +onsitemassageco.com true +ooonja.de true +openacademies.com true +oplop.appspot.com true +opsmate.com false +optimus.io true +orbograph-hrcm.com true +orcahq.com true +orhideous.name true +oscarvk.ch true +osquery.io true +osterkraenzchen.de true +otakuworld.de true +ouvirmusica.com.br true +ovenapp.io true +oversight.io true +ownmovies.fr true +p.linode.com false +packagist.org false +pactf.com true +pajonzeck.de true +palava.tv true +pap.la false +parent5446.us true +partyvan.eu true +partyvan.it true +partyvan.nl true +partyvan.se true +passphrase.today true +passport.yandex.by true +passport.yandex.com true +passport.yandex.com.tr true +passport.yandex.kz true +passport.yandex.ru true +passport.yandex.ua true +passwd.io true +password.codes true +passwords.google.com true +pasta-factory.co.il true +paste.linode.com false +pastebin.linode.com false +patechmasters.com true +patriksimek.cz true +patt.us true +pauladamsmith.com true +paulschreiber.com true +pay.gigahost.dk true +paymentaccuracy.gov true +payments-reference.org true +paymill.com true +paymill.de true +paypal.com false +payroll.xero.com false +pbprint.ru false +pclob.gov true +pdf.yt true +peercraft.com true +pentesterlab.com true +perfectionis.me true +personaldatabasen.no true +pestici.de true +petplum.com true +petrolplus.ru true +pharmaboard.de true +phil.tw true +philosopherswool.com true +phoenix.dj true +phoenixlogan.com true +phryanjr.com false +phurl.de true +pi-supply.com true +picksin.club true +picsto.re true +pieperhome.de true +pierre-schmitz.com true +pieterhordijk.com true +pijuice.com true +piratedb.com true +piratedot.com true +pirateproxy.sx true +pixel.facebook.com false +pixi.me true +play.google.com true +plothost.com true +plus.google.com false +plus.sandbox.google.com false +plzenskybarcamp.cz true +pmg-offshore-company.com true +pmg-purchase.com true +pmg-purchase.net true +poedgirl.com true +pollpodium.nl true +polymathematician.com true +polypho.nyc true +ponythread.com true +portal.tirol.gv.at true +posteo.de false +postfinance.ch true +posttigo.com true +prakharprasad.com true +prefontaine.name true +preissler.co.uk true +preloaded-hsts.badssl.com true +presidentials2016.com true +privategiant.com true +profiles.google.com true +progressiveplanning.com true +projectascension.io true +projektzentrisch.de true +prontolight.com true +proofwiki.org true +propagandism.org true +prospo.co true +prowhisky.de true +proximato.com true +proxybay.club true +proxybay.co true +proxybay.info true +ptn.moscow true +puac.de true +pubkey.is true +publications.qld.gov.au false +puiterwijk.org true +pult.co false +purewebmasters.com false +pwd.ovh true +pypa.io true +pypi.python.org true +python.org false +qa.fedoraproject.org true +qa.stg.fedoraproject.org true +qetesh.de true +qualityhomesystems.com true +quebecmailbox.com true +quli.nl true +quuz.org true +r3s1stanc3.me true +rad-route.de true +radiormi.com true +rafaelcz.de true +ragingserenity.com true +railgun.ac true +raiseyourflag.com true +ramsor-gaming.de true +rasing.me true +raspass.me true +ravchat.com true +rawstorieslondon.com true +raydobe.me false +raymii.org true +reaconverter.com true +red-t-shirt.ru true +redirect.fedoraproject.org true +redirect.stg.fedoraproject.org true +redletter.link true +redlink.de true +redteam-pentesting.de true +reedloden.com true +refundo.cz true +refundo.sk true +reg.ru false +release-monitoring.org true +reliable-mail.de true +renem.net true +report-uri.io true +research.facebook.com false +research.md true +residentsinsurance.co.uk true +resources.flowfinity.com true +reviews.anime.my true +riccy.org true +richiemail.net true +ricochet.im true +riesenmagnete.de true +rika.me true +rippleunion.com true +rischard.org true +rlalique.com true +rmmanfredi.com true +robertof.ovh true +robinadr.com true +robinsonyu.com true +robteix.com true +robtex.com true +rodosto.com true +roeper.party true +roland.io true +romab.com true +roman-pavlik.cz true +romans-place.me.uk true +romulusapp.com false +room-checkin24.de true +roosterpgplus.nl true +roots.io true +roquecenter.org true +rosenkeller.org true +rotunneling.net true +roundcube.mayfirst.org false +royalacademy.org.uk true +rpy.xyz true +rssr.se true +ru-sprachstudio.ch true +rubecodeberg.com true +rubendv.be true +rubyshop.nl true +rudloff.pro true +rusadmin.biz true +ruudkoot.nl true +rws-vertriebsportal.de true +ryan-goldstein.com true +s-c.se true +sabahattin-gucukoglu.com true +safescan.com true +sagerus.com true +sageth.com true +saintsrobotics.com true +sakaki.anime.my true +salaervergleich.com true +sale4ru.ru true +salserocafe.com true +samba.org true +samfunnet.no false +samizdat.cz true +samuelkeeley.com true +sanatfilan.com false +sandbox.mydigipass.com false +sarahlicity.co.uk true +saulchristie.com true +save.gov true +saveaward.gov true +savvytime.com true +schachburg.de true +schokokeks.org true +schreiber-netzwerk.eu true +schreibnacht.de true +schwarzer.it true +sciencex.com true +scotthel.me true +scotthelme.co.uk true +scoutdb.ch true +scrambl.is true +scrambler.in false +scrap.tf true +screenlight.tv true +scribe.systems true +script.google.com true +sdsl-speedtest.de true +search-one.de true +sec.gd true +secretserveronline.com true +secure.facebook.com false +securedrop.org true +securesuisse.ch true +securify.nl true +security-carpet.com true +security.google.com true +securityheaders.com true +securitysnobs.com false +secuvera.de true +seifried.org true +sellocdn.com true +servergno.me true +servertastic.com true +servethecity-karlsruhe.de false +setuid.io true +seyahatsagliksigortalari.com true +sh-network.de true +shaaaaaaaaaaaaa.com true +shadex.net true +shakepeers.org true +shamka.ru true +shanewadleigh.com true +shasso.com true +shellsec.pw true +shenyuqi.com true +sherbers.de true +shiinko.com false +shipard.com true +shodan.io true +shopontarget.com true +shortdiary.me true +sidium.de true +siewert-kau.de true +sigterm.sh true +sikayetvar.com true +silentcircle.com false +simbolo.co.uk false +simple.com false +simpletax.ca false +simplia.cz true +simplystudio.com true +siraweb.org true +siriad.com true +sites.google.com true +sitesko.de true +sitesten.com true +sizzle.co.uk true +sjoorm.com true +skeeley.com true +skhosting.eu true +skogsbruket.fi true +skogskultur.fi true +skydrive.live.com false +slack-files.com true +slack.com true +slattery.co true +sleio.com true +slever.cz true +slevomat.cz true +slidebatch.com true +slope.haus true +slse.ca true +smartcleaningcenter.nl true +smartcoin.com.br true +smartlend.se true +smartship.co.jp true +smith.is true +snailing.org true +snakehosting.dk true +snazel.co.uk true +sneezry.com true +sny.no true +soccergif.com true +soci.ml true +sockeye.cc true +soia.ca true +solihullcarnival.co.uk true +solihulllionsclub.org.uk true +sorz.org true +souki.cz true +soulfulglamour.uk true +soulogic.com true +sour.is true +sourceway.de true +southside-crew.com true +souvik.me true +spartantheatre.org true +spawn.cz true +speedcounter.net true +spencerbaer.com true +spideroak.com true +spongepowered.org true +spreadsheets.google.com true +spreed.me true +sprueche-zum-valentinstag.de true +sprueche-zur-geburt.info true +sprueche-zur-hochzeit.de true +sprueche-zur-konfirmation.de true +spyroszarzonis.com true +squareup.com false +srevilak.net true +sro.center true +ssl.google-analytics.com true +sslmate.com true +stablelib.com true +stage.wepay.com false +standardssuck.org true +starapple.nl true +static.wepay.com false +staticanime.net false +stationary-traveller.eu true +stereo.lu true +stereochro.me true +stesti.cz true +stevegrav.es true +steventress.com true +stewartremodelingadvantage.com true +sticklerjs.org true +stirling.co true +stocktrade.de false +storedsafe.com true +stormhub.org true +strasweb.fr false +stretchmyan.us true +stripe.com true +strongest-privacy.com true +stuartbaxter.co false +studienportal.eu true +studydrive.net true +stulda.cz true +subeesu.com true +subrosa.io true +sufix.cz true +suite73.org true +sunjaydhama.com true +suos.io true +supplies24.at true +supplies24.es true +support.mayfirst.org false +surkatty.org true +survivalmonkey.com true +svager.cz true +swehack.org false +sychov.pro true +sylaps.com true +sysctl.se true +sysdb.io true +syss.de true +t23m-navi.jp false +tadigitalstore.com true +tageau.com true +taken.pl true +talideon.com true +talk.google.com true +talkgadget.google.com true +tallr.se true +tallshoe.com true +tas2580.net true +taskotron.fedoraproject.org true +taskotron.stg.fedoraproject.org true +tatort-fanpage.de true +tauchkater.de true +tbspace.de true +tcgrepublic.com true +tdelmas.ovh true +tdrs.info true +teachforcanada.ca true +teamnorthgermany.de true +teamupturn.com true +techhipster.net true +techhub.ml true +techllage.com true +techloaner.com true +technotonic.com.au false +tegelsensanitaironline.nl true +tekshrek.com true +tempus-aquilae.de true +tent.io true +terraelectronica.ru true +terraweb.net true +terrax.info true +terrax.net true +terrty.net true +testsuite.org true +texte-zur-taufe.de true +thca.ca true +theamp.com true +thebimhub.com true +thecoffeehouse.xyz true +thecustomizewindows.com true +theescapistswiki.com true +thefrozenfire.com true +thehiddenbay.net true +themoep.at true +thepaymentscompany.com true +thepiratebay.al true +therapynotes.com true +thetomharling.com true +theunitedstates.io true +theweilai.com true +thomastimepieces.com.au true +thouni.de true +thumbtack.com true +thusoy.com true +thyngster.com false +tickopa.co.uk true +tid.jp true +timmy.ws true +timotrans.de true +timotrans.eu true +timtaubert.de true +tinfoilsecurity.com false +tinkertry.com false +tinte24.de true +tintenfix.net true +tipps-fuer-den-haushalt.de true +tittelbach.at true +titties.ml true +tls.li true +tmtopup.com true +tno.io true +tobias-kluge.de true +todesschaf.org true +todoist.com true +tollsjekk.no true +tom.horse true +tomfisher.eu true +tomharling.co.uk true +tomharling.uk true +tomrichards.net true +tomvote.com true +toner24.at true +toner24.co.uk true +toner24.es true +toner24.fr true +toner24.it true +toner24.nl true +toner24.pl true +tonerdepot.de true +tonerjet.at true +tonerjet.co.uk true +tonerklick.de true +tonerkurier.de true +tonermaus.de true +tonermonster.de true +tonex.de true +tonex.nl true +tonytan.cn true +tonywebster.com true +topbargains.com.au true +topodin.com true +topshelfguild.com true +toptexture.com true +tor2web.org true +tormentedradio.com true +torproject.org false +torquato.de false +toshnix.com true +totem-eshop.cz true +touch.facebook.com false +touch.mail.ru true +tox.im true +tpbproxy.co true +traas.org true +tracktivity.com.au true +translate.fedoraproject.org true +translate.googleapis.com true +translate.stg.fedoraproject.org true +trashnothing.com true +trauertexte.info true +tresorit.com true +tribaldos.com true +tribut.de true +ts3.consulting true +tuamoronline.com true +tucuxi.org true +tuitle.com true +tunebitfm.de true +tuxplace.nl true +twentymilliseconds.com true +twisto.cz true +twitter.com false +twitteroauth.com true +twofactorauth.org true +twolinepassbrewing.com true +typingrevolution.com true +uae-company-service.com true +ub3rk1tten.com false +ubanquity.com true +ubertt.org true +ucfirst.nl true +ukdefencejournal.org.uk true +ukhas.net true +ukrainians.ch true +ulabox.com true +unison.com true +unitedadmins.com true +unknownphenomena.net true +unravel.ie true +unterfrankenclan.de true +uonstaffhub.com true +uow.ninja true +upitnik.rs true +upload.facebook.com false +uptrends.com true +uptrends.de true +usaa.com false +uscntalk.com true +uspsoig.gov true +utilityapi.com true +utleieplassen.no true +vaddder.com true +vasanth.org true +vbh2o.com true +vechkasov.ru true +venicerealdeal.com true +vhost.co.id true +viasinc.com false +vijos.org true +visionless.me false +vitrado.de true +vmoagents.com false +vocaloid.my true +voicesuk.co.uk true +vomitb.in true +vortexhobbies.com true +votocek.cz true +votockova.cz true +vox.vg true +vpnzoom.com true +vrobert.fr false +vrtak-cz.net true +vserver-preis-vergleich.de true +vyplnto.cz true +vzk.io false +w-spotlight.appspot.com true +wallet.google.com true +walnutgaming.co.uk true +walnutgaming.com true +warrencreative.com false +watsonhall.uk true +wbg-vs.de true +wearvr.com true +webandmore.de false +webandwords.com.au true +webassadors.com false +webcollect.org.uk true +webeau.com true +webfilings-eu-mirror.appspot.com true +webfilings-eu.appspot.com true +webfilings-mirror-hrd.appspot.com true +webfilings.appspot.com true +weblogzwolle.nl true +webmail.gigahost.dk false +webmail.onlime.ch false +webmail.schokokeks.org false +webmaniabr.com true +webmarketingfestival.it true +webogram.org true +webrebels.org true +websenat.de true +webswitch.io true +webtalis.nl true +webtiles.co.uk true +webtrh.cz true +weggeweest.nl true +welches-kinderfahrrad.de true +welpy.com false +wepay.com false +wepay.in.th true +wesecom.com true +wesleyharris.ca true +wettertoertchen.com true +wevahoo.com true +wf-bigsky-master.appspot.com true +wf-demo-eu.appspot.com true +wf-demo-hrd.appspot.com true +wf-dogfood-hrd.appspot.com true +wf-pentest.appspot.com true +wf-staging-hr.appspot.com true +wf-training-hrd.appspot.com true +wf-training-master.appspot.com true +wf-trial-hrd.appspot.com true +whatwg.org true +whd-guide.de true +when-release.ru true +when.fm true +wherephoto.com true +whitestagforge.com true +whocalld.com true +whonix.org true +widememory.com false +wieninternational.at true +wifirst.net true +wiki.python.org true +wildbee.org true +wilf1rst.com true +williamsapiens.com true +williamsonshore.com true +willnorris.com true +wills.co.tt true +winhistory-forum.net true +wisv.ch true +wit.ai true +wondershift.biz true +wootton95.com true +worldcubeassociation.org true +wownmedia.com true +wpletter.de true +writeapp.me false +wtfismyip.com true +wubthecaptain.eu true +wunderlist.com true +wundi.net true +wurzelzwerg.net true +wvr-law.de true +www.aclu.org false +www.airbnb.com true +www.apollo-auto.com true +www.banking.co.at false +www.braintreepayments.com false +www.capitainetrain.com false +www.cyveillance.com true +www.dropbox.com true +www.dropcam.com false +www.entropia.de false +www.eternalgoth.co.uk true +www.etsy.com true +www.evernote.com false +www.facebook.com false +www.gamesdepartment.co.uk false +www.getcloak.com false +www.gmail.com false +www.googlemail.com false +www.gov.uk false +www.grc.com false +www.healthcare.gov false +www.heliosnet.com true +www.honeybadger.io false +www.intercom.io false +www.irccloud.com false +www.lastpass.com false +www.linode.com false +www.lookout.com false +www.makeyourlaws.org true +www.mydigipass.com false +www.mylookout.com false +www.noisebridge.net false +www.opsmate.com true +www.paypal.com false +www.python.org true +www.roddis.net true +www.schokokeks.org true +www.simbolo.co.uk false +www.simple.com false +www.therapynotes.com true +www.tinfoilsecurity.com false +www.torproject.org false +www.twitter.com false +www.usaa.com false +www.viasinc.com true +www.wepay.com false +www.zenpayroll.com false +wzrd.in true +wzyboy.org true +x.io true +xbrlsuccess.appspot.com true +xcoop.me true +xenesisziarovky.sk true +xf-liam.com true +xho.me true +xiaolvmu.me true +xn--maraa-rta.org true +xpd.se true +xps2pdf.co.uk true +xtrim.ru true +xuntier.ch true +y-o-w.com true +yafuoku.ru true +yahvehyireh.com true +yamaken.jp true +yanovich.net true +yaporn.tv false +yello.website true +yenniferallulli.com true +yenniferallulli.de true +yenniferallulli.es true +yenniferallulli.moda true +yenniferallulli.nl true +yetii.net true +yksityisyydensuoja.fi true +yokeepo.com true +yorcom.nl true +youdowell.com true +yoursecondphone.co true +ypart.eu true +yunzhu.li true +yunzhu.org true +z.ai true +zalan.do true +zapier.com true +zbasenem.pl true +zenpayroll.com false +zentraler-kreditausschuss.de true +zentralwolke.de true +zeplin.io false +zeropush.com true +zhang-hao.com true +zhovner.com true +zifb.in true +zixiao.wang true +zlatosnadno.cz true +zlavomat.sk true +zotero.org true +zravypapir.cz true diff --git a/src/html.cc b/src/html.cc index a92771d3..e8d84738 100644 --- a/src/html.cc +++ b/src/html.cc @@ -2203,9 +2203,9 @@ DilloImage *a_Html_image_new(DilloHtml *html, const char *tag, int tagsize) return NULL; alt_ptr = a_Html_get_attr_wdef(html, tag, tagsize, "alt", NULL); - if ((!alt_ptr || !*alt_ptr) && !prefs.load_images) { + if (!alt_ptr || !*alt_ptr) { dFree(alt_ptr); - alt_ptr = dStrdup("[IMG]"); // Place holder for img_off mode + alt_ptr = dStrdup("[IMG]"); } dw::Image *dw = new dw::Image(alt_ptr); @@ -353,6 +353,7 @@ void a_Nav_push(BrowserWindow *bw, const DilloUrl *url, a_Nav_cancel_expect(bw); a_Bw_expect(bw, url); Nav_open_url(bw, url, requester, 0); + a_UIcmd_set_location_text(bw, URL_STR(url)); } /* diff --git a/src/paths.hh b/src/paths.hh index 8f52cd86..ecc02f8b 100644 --- a/src/paths.hh +++ b/src/paths.hh @@ -15,6 +15,7 @@ #define PATHS_RC_PREFS "dillorc" #define PATHS_RC_KEYS "keysrc" #define PATHS_RC_DOMAIN "domainrc" +#define PATHS_HSTS_PRELOAD "hsts_preload" class Paths { public: diff --git a/src/prefs.c b/src/prefs.c index 65ebcdae..39416a04 100644 --- a/src/prefs.c +++ b/src/prefs.c @@ -63,9 +63,10 @@ void a_Prefs_init(void) prefs.http_language = NULL; prefs.http_proxy = NULL; prefs.http_max_conns = 6; - prefs.http_persistent_conns = FALSE; + prefs.http_persistent_conns = TRUE; prefs.http_proxyuser = NULL; prefs.http_referer = dStrdup(PREFS_HTTP_REFERER); + prefs.http_strict_transport_security = TRUE; prefs.http_user_agent = dStrdup(PREFS_HTTP_USER_AGENT); prefs.limit_text_width = FALSE; prefs.adjust_min_width = TRUE; diff --git a/src/prefs.h b/src/prefs.h index ac52786e..d22ef656 100644 --- a/src/prefs.h +++ b/src/prefs.h @@ -94,6 +94,7 @@ typedef struct { bool_t load_stylesheets; bool_t parse_embedded_css; bool_t http_persistent_conns; + bool_t http_strict_transport_security; int32_t buffered_drawing; char *font_serif; char *font_sans_serif; diff --git a/src/prefsparser.cc b/src/prefsparser.cc index d01dcac5..a57a1642 100644 --- a/src/prefsparser.cc +++ b/src/prefsparser.cc @@ -171,6 +171,8 @@ void PrefsParser::parse(FILE *fp) { "http_proxy", &prefs.http_proxy, PREFS_URL, 0 }, { "http_proxyuser", &prefs.http_proxyuser, PREFS_STRING, 0 }, { "http_referer", &prefs.http_referer, PREFS_STRING, 0 }, + { "http_strict_transport_security",&prefs.http_strict_transport_security, + PREFS_BOOL, 0 }, { "http_user_agent", &prefs.http_user_agent, PREFS_STRING, 0 }, { "limit_text_width", &prefs.limit_text_width, PREFS_BOOL, 0 }, { "adjust_min_width", &prefs.adjust_min_width, PREFS_BOOL, 0 }, @@ -46,6 +46,7 @@ #include <ctype.h> #include "url.h" +#include "hsts.h" #include "msg.h" static const char *HEX = "0123456789ABCDEF"; @@ -140,10 +141,17 @@ static DilloUrl *Url_object_new(const char *uri_str) url = dNew0(DilloUrl, 1); + /* url->buffer is given a little extra room in case HSTS needs to transform + * a URL string ending in ":80" to ":443". + */ + int len = strlen(uri_str)+2; + s = dNew(char, len); + memcpy(s, uri_str, len-1); + s = dStrstrip(s); + /* remove leading & trailing space from buffer */ - url->buffer = dStrstrip(dStrdup(uri_str)); + url->buffer = s; - s = (char *) url->buffer; p = strpbrk(s, ":/?#"); if (p && p[0] == ':' && p > s) { /* scheme */ *p = 0; @@ -412,6 +420,33 @@ DilloUrl* a_Url_new(const char *url_str, const char *base_url) dFree(str1); dFree(str2); + + /* + * A site's HTTP Strict Transport Security policy may direct us to transform + * URLs like "http://en.wikipedia.org:80" to "https://en.wikipedia.org:443". + */ + if (prefs.http_strict_transport_security && + url->scheme && !dStrAsciiCasecmp(url->scheme, "http") && + a_Hsts_require_https(a_Url_hostname(url))) { + const char *const scheme = "https"; + + MSG("url: HSTS transformation for %s.\n", url->url_string->str); + url->scheme = scheme; + if (url->port == URL_HTTP_PORT) + url->port = URL_HTTPS_PORT; + + if (url->authority) { + int len = strlen(url->authority); + + if (len >= 3 && !strcmp(url->authority + len-3, ":80")) { + strcpy((char *)url->authority + len-2, "443"); + } + } + + dStr_free(url->url_string, TRUE); + url->url_string = NULL; + } + return url; } |