[WIP] Logic changes to bring closer to Pulse scan

[konklone]

This is an in-progress PR documenting some logic changes we're making to bring the Valid HTTPS field closer to Pulse's, along with other small things I notice.

So far this PR:

• Adds a transparent cache for the requests library, turned on by --cache and stored inside .cache/, which automatically caches (and reuses from cache) all network requests made through requests while it is enabled. This makes the requests calls go instantly once cached, though the sslyze calls are not cached.
• Always checks the preload list for the value of HSTS Preloaded, so as to catch any manual additions the preload list adds. (For a time, login.gov was one of these.)
• Discount entries in the preload list which don't have include_subdomains set to true, since that's a drastically different security level than we're generally indicating when we say HSTS Preloaded. There are a few .gov domains in this unfortunate position, including healthcare.gov. This is actually ahead of Pulse -- I want Pulse to start discounting those too.

[konklone]

(Note this PR is merging into the previous PR, so if you want to merge both PRs, merge this one first.)

[konklone]

I've added some commits that:

• Store the location an endpoint immediately redirects to, in addition to the existing one that stores the eventual redirect location.
• Tightened the is_valid_https definition considerably. It now wants at least one endpoint to be live, not have a certificate for a valid hostname, and to not redirect the user immediately down to HTTP.