Remove faulty cryptcheck

[HLFH]

Cryptcheck does not support TLS 1.3.
It can give E grades for TLS to searx instances that are absolutely secure.

SSLLabs is the recommended solution: https://www.ssllabs.com/ssltest/
A lot of open source sofwares run around it such as: https://github.com/ssllabs/ssllabs-scan

[unixfox]

Please see my reply about SSLLabs: https://github.com/dalf/searx-stats2/issues/10#issuecomment-572003677

I don't think there is a consensus around Qualys SSL labs, it's probably due to the fact that ssllabs is more popular than cryptcheck.

SSL Labs really lacks of SSL/TLS good practices, it's just in 2020 that they started giving a lower score for using TLS 1.0 & TLS 1.1: https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols
Whereas the PCI asked in 2018 everyone to stop using TLS 1.0: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

We shouldn't trust SSL Labs for measuring the quality of the encryption of a Searx instance. aeris himself agree that nobody should use Qualys SSL Labs: https://mastodon.social/@fschaap/5000393

As for the arguments against cryptcheck:

no result will be returned if a server has an ipv6 miss-configuration.

I find this completely normal, the owner of the Searx instance has to correctly configure his website. We shouldn't follow the fallback to IPv4 mechanism.

Try to SSH to a domain that have a miss-configuration for its IPv6 record but the IPv4 record is valid, it will just timeout without falling back to IPv4.
And what about the people that are behind a NAT64&DNS64 network? They will feel the same thing, the browser will timeout due to the IPv6 miss-configuration because their computer doesn't have any valid IPv4.

some other cases, I can't determine.

I only encountered one, a case where a scan wouldn't finish. If that's becoming more and more frequent, it's better to open an issue marked as a bug.
Apart from that, if you could give more details maybe we could ask aeris to fix the potential bugs.

EDIT: I saw a bunch of question mark on searx.space and I think that's what you related to "other cases".
I don't really know why your program can't fetch the API because for every website with a "?" I do have correct results from the API. For example "searx.foo.li" has a question mark but the API is able to return the results of the scan: https://cryptcheck.fr/https/searx.foo.li.json

Originally posted by @unixfox in https://github.com/dalf/searx-stats2/issues/10#issuecomment-572003677

---

Cryptcheck does not support TLS 1.3.

Please see why Cryptcheck doesn't support TLS 1.3 yet: aeris/cryptcheck#46
You already linked it oops. But that's still a valid reason for not having TLS 1.3.

---

It can give E grades for TLS to searx instances that are absolutely secure.

Please checkout the help section to understand why it gives an E rank: https://cryptcheck.fr/help

[dalf]

See aeris/cryptcheck#50

( cryptcheck command line shows all the details but not the html page. )

[HLFH]

@unixfox I mean, what I used to follow is the intermediate compatibility of Mozilla TLS guidelines.

According to his Twitter bio, Ivan Ristic is:

Founder of Hardenize, because everyone deserves good internet security. Previously, founder of SSL >Labs and ModSecurity; wrote Bulletproof SSL and TLS.

Frankly, SSL Labs is and has been trustworthy.
I understand in the French web, a competitor like Cryptcheck might appeal more to cypherpunks and I have also been using this TLS check solution since a long time.
Also, Ivan Ristic has left Qualys, and is now focused on Hardenize, which is more general in its approach, so Hardenize is not directly relevant for the searx-stats2 project and SSL Labs has lost its main contributor.

I can see at the time the cryptcheck project is not entirely secure as it depends of ruby 2.3.x that no longer receives bug fixes or critical security updates: .
Happily, aeris wants to tackle this issue with the cryptcheck-engine that is being built to support TLS 1.3 and remove the openssl dependency.

As my certificate has been generated by Let's Encrypt, I migrated for my searx instance from Let’s Encrypt Authority X3 signed by IdenTrust to the one signed by ISRG Root X1. It makes it a bit more secure.

@dalf Thank you a lot. I was wondering why I have the "No HSTS" issue as the useful help section did not indicate the "E" rank with the "No HSTS" issue.

I have therefore fixed the docker build . process: aeris/cryptcheck#51 to get the same details as you got.

I will look now why my antibot-proxy instance is misconfigured.

Thank you a lot to both of you!