Changelog.md

Change Log

1.9.0

1.9.0 (compared to 1.8.7) contains several testing changes, along with content improvements:

• The RPKI test is now included in the total test score and its worst score is now a failure. Note that, as the score is evenly divided over all major categories, the score impact from each individual major category has been reduced. Therefore, scoring success on RPKI but fail on other tests, may result in a higher score than with 1.8. See the scoring documentation for details on the scoring algorithm.
• Improvements in the null MX recommendation based on SPF values.
• SPF test now correctly counts include/redirect for the 10 lookup limit.
• All tests, except some parts of TLS, now use a standard User-Agent format which can also be modified for third party deployments.
• Update to the latest version of sectxt which includes detection of BOM, unknown fields, and several PGP issues.

Internal changes:

• CI now detects missing or conflicting database migrations.
• Many documentation improvements.
• Improvements in customisability for forked versions.

For all issues, see the 1.9 milestone, though some of those were backported to 1.8 already.

1.8.7

1.8.7 mainly contains various important fixes to support batch deployment.

• Updated sectxt to use a patched version of PGPy with a fix for a catastrophic regex backtracking issue
• Updated nassl to fix memory leak in OCSP check.
• Connection test zones are now re-signed every week instead of every month.
• Support for new Docker (compose) versions and some checks for incompatible versions.
• Many updates to the Docker setup to handle issues with large batch jobs
• Extensions in Grafana dashboards for batch monitoring.
• Various improvements to CI UX.

1.8.6

Functional changes:

• Fixed an issue where redirects with an explicit port 443 were incorrectly. rejected in the HTTPS redirect test (#1291).
• 4xx and 5xx in the IPv4/6 similarity test are now permitted (#1267).
• Changed user agent to a common format (#1224).
• Fixed excessive caching TTLs in some DNS queries for some tests.
• Added support for br and zstd compression in HTTP compression test.

Internal changes:

• Access and user management was improved with a separate command to manage users, which can be applied to batch API only, or all URLS (#1267, #1274, #1396).
• Added periodic re-signing of connection test DNS zones.
• DNS configuration was documented along with several fixes in the certbot config (#1275, #1228).
• Added a log exporter for nginx.
• Added test probes every 15 minutes.
• Added periodic restart for nassl worker.
• Several other bugfixes.

1.8.5

Release 1.8.5 contains a hotfix for the sectxt library failing on leap days.

1.8.4

Release 1.8.4:

• Updates unbound to 1.19.1-internetnl to fix CVE-2023-50387 and CVE-2023-50868.
• Restricts HTTPS redirects to the same domain, no longer allowing directions to a subdomain first (#1208).
• Updates a number of other dependencies.
• Fixes an issue where certbot renewals were not correctly run.

1.8.3

Release 1.8.3 fixes an issue where HSTS and CSP headers were missing from he www-subdomain of the main domain (#1210, #1211).

1.8.2

Release 1.8.2 fixes an issue where the connection test would fail to start in certain cases due to an incorrect HTTP downgrade (#1194, #1195).

1.8.1

Version 1.8.1 includes a number of internal improvements, including:

• Various improvements in the build setup, including building forks.
• Improvements in logging quality and reducing log volume.
• Corrections in the live tests.
• Improved error handling in TLS certificate requests in deployments.

There are no changes to functionality or requirements of the tests.

1.8.0

• A new Docker based deployment, development, testing and CI setup has been added to replace all previous processes. See the getting started guide for how to use this.
• The test for Referrer-Policy has been updated to check for a sufficiently secure and valid policy.
• The security.txt test now checks the Canonical field as well.
• Updated to version 0.8.3 of the sectxt library including validation of CSAF fields.
• RFC9091 np= is now permitted in DMARC policies.
• The Content-Security-Policy check now requires explicit https: scheme and an issue was fixed where 'none' combined with other sources was incorrectly accepted.
• The IPv4/IPv6 similarity test was relaxed to a notice when the response contents are different.
• Fixed incorrect handling of IPv6-mapped IPv4 addresses in the RPKI test.
• Improved attributes in input fields for improved user experience.
• Fixed an issue in footer alignment.

This release has API version 2.4.0:

• The referrer_policy_errors and referrer_policy_recommendations fields were added. These contain errors and/or recommendations regarding the Referrer-Policy test.
• https_redirect can now also have “no_https” as status, for a web server that offers either no HTTPS or HTTPS with a very outdated, insecure TLS configuration, as in this case the redirect is not evaluated.

1.7.1

• Fixed the new display of TLS versions for mail tests.
• Fixed a language mix-up in the security.txt labels.
• Fixed an issue with the connection test and CSP form-action

1.7

• Added specific error messages in the technical details for Content-Security-Policy results.
• Added requirements for base-uri and form-action to the Content-Security-Policy test.
• Added translations for security.txt error messages.
• The TLS versions tech table now shows the detected TLS versions instead of only TLS versions with issues.
• Fixed an uncaught exception in the security.txt text which could cause the entire test to fail for some HTTP responses.
• Corrected handling of bogus TLSA records.
• A bare "https:" is no longer allowed in Content-Security-Policy as it matches any HTTPS host.
• Loosened requirement for null MX when a domain has no A or AAAA.
• Fixed an issue where the frame-src test was inconsistent with the documentation.
• Added the version number to the footer.
• Added Sentry support for error reporting.
• Code quality was cleaned up in various places.
• Dependencies were updated.

This release has API version 2.3.0:

• The record_org_domain was added for DMARC (#489).
• The securitytxt_errors and securitytxt_recommendations types were changed. They now contain error codes (and possibly context) rather than full sentences.
• The content_security_policy_errors field was added with error codes for CSP.
• An issue was fixed where the mx_nameservers field was not included in results (#882).

1.6.3

• Fixed an issue in the HTTPS client code that caused DMARC records to not be detected, due to a missing public suffix list.

1.6.2

• Fixed issues in the example configs regarding celery concurrency
• Fixed an issue where test failures could cause old test results to be displayed instead
• Added celery task info to log messages to help debugging/tracing
• Small fixes to test explanation content

This release has API version 2.2.0, as there are no API changes.

1.6.1

• Fixed issues in the security.txt check for invalid time formats and empty responses
• Updated social media links
• Fixed an issue in the API and updated the version

This release has API version 2.2.0, a late update due to new fields added in 1.6.0.

1.6

• Add security.txt support. For all IPs of web servers, this looks for the existence and validity of a RFC9116 security.txt file.

This release has API version 2.1.0, which is incorrect as it does include new fields for security.txt. This was fixed in 1.6.1.

1.5.1

• Fixes a tiny typo in the RPKI news content.

This release has API version 2.1.0, as there are no API changes.

1.5.0

New

• RPKI support [(#613)]. For all IPs of all name servers, mail servers and web server, this check looks for the existence of an RPKI ROA, and whether all BGP routes covering these IPs are valid. As this is a new check, the total score does not yet include RPKI results.

Other changes

• Fixed issues with the IPv4/IPv6 consistency test for large pages [(#665)]
• Various dependencies updated [(#721)] [(#725)] [(#695)] [(#688)] [(#712)]
• Internal documentation improvements [(#717)]
• Small improvements in cache reset requests [(#724)]
• Small improvements in various test explanations.
• The privacy statement was updated to clarify the use of third party services.

This release has API version 2.1.0, as it includes new fields for RPKI.

1.4.0

Software update and development & documentation release.

Note: the docker image will not build at the moment, this is a work in progress and will be in 1.4.1.

New

• Mention LinkedIn next to Twitter in footer [(#496)]
• Add security.txt based on https://securitytxt.org/ [(#493)]

Changes

• Improve description of the ipv4-ipv6 comparison results and what may be a reason for the differences [(#540)]
• Refer to https://dutchcloudcommunity.nl/ on https://internet.nl/about/ [(#589)]
• Check for max of 10 DNS lookups in SPF test [(#286)]
• System administrators can disable/enable categories of tests (for example, only run IPv6 tests)
• Files from the /static/ directory are now cached by the client for one day by default (instead of none)

Bugfixes

• Fix some minor typos and broken link [(#574)] [(#575)]
• Add a missing ' in the frame-ancestors explanation [(#578)]
• An empty part of Content Security Policy gives an error [(#583)]
• Recursion error when stripping nonces in IPv4 and IPv6 comparison [(#587)]
• Remove certificate from the certificate chain in the shipped cert chain file [(#614)]

Dependencies

• Update Django version to latest LTS version, together with dependencies [(#486)]
• Update version of Celery to the latest LTS version, together with dependencies [(#586)]
• Updated jQuery (also stops support for very old browsers) [(#565)]
• Pinned all dependencies on specific versions with pip-tools.

Settings

• Moved Django settings to an environment file, so it can be more easily configured in automated environments (containers)
• Made a clear distinction between user confgured settings and 'standard app settings'
• Add DEFAULT_AUTO_FIELD to default config file [(#599)]
• Increased the test duration 50%-100% for all tests on single mode, to deal with slow servers or servers that have a lot of MX records.
• Made the rate limiting feature of starting new scans configurable in the settings (not via environment)

Migrations

• Administrative movements of models to a new subproject (checks).

Development & documentation

• Added installation steps to makefile for easier installation of the virtual environment and custom python dependencies
• Added Github action that checks for code linting and runs tests. More QA tools to come.
• Added various tests and moved the existing tests to be run in pytest. Coverage today: 32%
• Added a partial admin web interface that is available during development, to more easily inspect the contents of the database
• Added an ERD diagram image of the database to the documentation
• Removed infinite wait on Unbound pipe, to reduce complexity in the connection leakage issue (see ahead)
• Added example and usable configuration examples for Redis, workers, services, Apache etc
• Added a logger with dictconfig, this allows run time logging of the application
• Added (debug) log statements for further code inspection, especially on expiring tasks
• Separate scanning code from UI code via a new django app "checks"
• Added workaround / configs for Redis-backend-connection leak: internetstandards#676 on single scan mode. Cron settings and some bash scripts that restart the scan services every 6 hours. This allows tens of thousands of scans per recycle.
• Spread out tasks over more dedicated workers to be able to inspect and manage bottlenecks
• Fixed Django-app bootstrapping, which prevented the app from loading correctly
• Building and testing for Python 3.7 and 3.10 to transit to the new version
• Added caching of static files in the apache config
• Simplified and deduplicated the apache config

This release has API version 2.0.1.

1.3.2

Hotfix release.

Changes

• (Docker) Use pg_isready to check db availability on startup (#551)

Bug Fixes

• CSP: subdomains not processed properly within default-src directive (#530)
• Fix for Public Suffix List: do not ignore rules that include wildcards.
• Key exchange parameter divergence (#538)
• Fix for 'non email sending domains and DKIM' does not work for bare domains (#532)
• Fix broken github tarball url for internetstandards/nassl (#549)
• Work around Celery bug #5409 leaving stale pid files (#550)
• Do not test redirects after test for first upgrade to HTTPS in "HTTPS redirect" subtest (#555)
• Typos.

Dependencies

• Updated fork targets:
  • unbound: https://github.com/ralphdolmans/unbound -> https://github.com/internetstandards/unbound
  • nassl: https://github.com/ximon18/nassl -> https://github.com/internetstandards/nassl
  • python-whois: https://github.com/ralphdolmans/python-whois -> https://github.com/internetstandards/python-whois

1.3.1

Hotfix release.

Bug Fixes

• Pick the correct domain for checking nameservers. (#526)
• Typos.

1.3.0

SSL_OP_PRIORITIZE_CHAHA support, support for more ciphers via the ModernConnection, explicit check for NULL MX, DKIM not required for non email sending domains, and more.

New

• docker/it/targetbase/recreate-certificates.sh allows for easy recreation of the IT related certificates.
• Support for SSL_OP_PRIORITIZE_CHACHA. (#461)
• Introduce manual HoF page(s).
• Support non email sending domains in mailtest for DKIM test. (#249)
• Keep and display the organizational domain for DMARC.
• 100% badges page in knowledge base. (#443)
• Explicitly test for NULL MX. (#468)
• Accessibility statement page. (#290)
• Use IDNA2008. (#507)

Changes

• Minimum max-age for HSTS is now 1 year. (#421)
• Accept all 3xx+3xx and 3xx+2xx DANE rollover schemes. (#341)
• Certificate Usage Field on TLSA records for email test. (#329)
• Validate CSP directives. (#325)
• Make X-Frame-Options optional and no longer consider ALLOW-FROM as sufficiently secure. (#503)
• No prescribed cipher ordering within a security level. (#506)
• Adjusted requirement level for client initiated renegotiation (informational). [(#510)]
• Update to jquery 3.5.1 (#508)

Bug Fixes

• Fix indefinite locks in cache (not a current problem).
• Fix ip_similarity for batch results where no IPv6 nor Ipv4 connection was possible.
• Better exception handling for untrusted certificate in OCSP check.
• Keep the same configured socket timeout for subsequent TLS connections.
• Nonces cause IPv4 vs IPv6 comparison to fail. (#463)
• Can't test site with invalid IDN. (#484)
• set_async(True) causes libunbound under celery to not honor config options set notable cache-max-ttl; remove for now.
• ARIA and DSS algorithms not detected. (#477)

Dependencies

• Updated requirements.txt:
  • django-redis pinned to 4.10
  • celery bumped to 4.3.1 (vine dependency)
  • vine pinned to 1.3.0
  • beautifulsoup4 added (#463)
  • idna added (#507)

Migrations

• New column in DB (mailtestauth_dmarc_record_org_domain). (#249)
• New columns in DB for NULL MX. (#468)

Settings

• New SMTP_EHLO_DOMAIN setting in settings.py. (#483)
• New optional HAS_ACCESSIBILITY_PAGE setting in settings.py. (#290)

1.2.1

Hotfix release.

Bug Fixes

• Fix broken connection test from 1.2.0; wrong variable name.

1.2.0

Update of the batch API to v2, removal of the X-XSS-Protection test, visual and content improvements for no-MX cases.

New

• Batch API updated to v2. (#337) (#395) (#336) (#436)
• No MX configured: informational status/icons and more suitable category verdict. (#455)
• Remove test for X-XSS-Protection. (#456)

Bug Fixes

• Fix breaking bug when the cert chain could not be received.
• Fix breaking bug for daneTA hack.
• Only use the translated local name from Django for configured languages.
• Fix arbitrary text injection in news and FAQ articles.
• Make sure to pick and test the same mailservers when the number of configured mailservers is greater than the allowed one.
• Mailservers without STARTTLS support give wrong verdict. (#437)
• IPv6 connectivity for nameservers. (#411)
• Make sure only one SMTP connection is active at a time.
• Fix uncaught exception when decrypting HTTPS data.
• Fix for statistics page (days are missing). (#417)
• Fix for connecting to either IPv4 or IPv6 for the mail test.
• mail_starttls_tls_available icon when a server is not tested. (#457)
• Typos.

1.1.2

Hotfix release.

Bug Fixes

• Documentation update.
• Content update.
• Typos.

1.1.1

Hotfix release.

New

• Ignore cipher order when only GOOD ciphers are supported.

Bug Fixes

• Fix scoring bug on FS params.
• Fix scoring bug when no starttls tests could be performed.
• DHE should be SUFFICIENT not GOOD.
• Fix JS bug for matomo.
• Fix unhandled NoIpError exception.
• Typos.

1.1.0

TLS 1.3 support, NCSCv2 guidelines, IT suite and more.

New

• Update internet.nl to conform with the new v2 of the NCSC guidelines. (#402)
• Updated Hall of Fame. (#170)

Dependencies

• Python bumped to 3.7. Make sure to update your environment and reinstall everything Python related (including unbound). You can follow the Installation instructions.
• The nassl fork was updated. Make sure to use the new repository and follow the Installation instructions.

Bug Fixes

• Long domain names break the design. (#401)
• Use headings where text is styled as headings. (#389)
• Alternative text for images | green and red shields statistics on homepage. (#387)
• Contrast too low for text "Dated result ....". (#307)
• Skiplink (to menu) does not work in small screens. (#306)
• Fix the mailserver part of DNSSEC to give a warning when there are no mailservers.
• Connection test: DNSSEC defaults to secure when no client connection. (#410)
• Widget for embedding test on other websites. (#362)
• HTML-element is closed while not opened based on @julezrulez commit. (#392)
• Try to detect browser DoNotTrack. (#426)

1.0.3

Hotfix release.

Dependencies

• The python-whois fork was updated. Make sure to pull the latest version and reinstall.

Bug Fixes

• Uncaught exception from python-whois. (#374)
• Typos.

1.0.2

Hotfix release.

Bug Fixes

• Report unusable TLSA records as non-valid. (#372)

1.0.1

Hotfix release.

Bug Fixes

• Don't check the root certificate's hash function. (#368)
• Missing space between test explanation and technical details. (#369)

1.0.0

Initial public release.

Template:

Next unreleased version

--- Brief description for next version ---

New

Changes

Bug Fixes

Dependencies

Migrations

Settings