[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] reddit.com wants EFF to disable HTTPS???



There are currently 2 Rules for Reddit.

Default is off for Reddit+, which I believe (not checked the actual
code) forces HTTPS to use the following domains:
https://www.reddit.com and/or https://reddit.com

If I go to the above 2 domains I do get Cert mismatch error (and asks
users to click "I Understand the Risks"). Because of this the above
rule is disabled.


The current rule which is active, forces HTTPS to go through
https://pay.reddit.com which has a proper certificate.

Based on your post on Reddit you stated that the above domain "We
don't support HTTPS for the main site at the moment. The only purpose
of it right now is for a specific set of pages (self-serve
advertisement pay pages) and the fact that it works for other pages
sometimes is an unintended side effect. "

The description of this Add-on should explain the purpose of HTTPS Everywhere:

"Many sites on the web offer some limited support for encryption over
HTTPS, but make it difficult to use. For instance, they may default to
unencrypted HTTP, or fill encrypted pages with links that go back to
the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all
requests to these sites to HTTPS. Firefox users can get it by clicking
here:"

I don't see why one website should get preferential treatment.

If there are specific URLs not working, we can always add it to the
exclusion rules.




On Mon, Aug 8, 2011 at 6:55 PM, Neil Williams <neil@xxxxxxxxxx> wrote:
> I'm not really sure what you want me to say here, Victor. We continue
> to get complaints from users of your extension (another example since
> the last email: http://redd.it/jb6ek). Our mainline HTTPS support is
> not going to change in the near future (it's a medium-term goal). So
> since you're adamant about not removing the rule, we're going to have
> to continue telling our users that HTTPS Everywhere is at fault for
> sending them to a system not designed for their traffic, and probably
> will end up blocking the requests altogether, though I'm loathe to do
> either of those things.
>
> On Sun, Aug 7, 2011 at 12:06 AM, Victor Garin <vic.garin@xxxxxxxxx> wrote:
>> As of this time, its working for me.
>>
>> I can access Reddit via https://pay.reddit.com/ with out any Cert errors.
>>
>> I even signed up for an account right now there, and was able to use
>> Reddit perfectly fine using https://pay.reddit.com/ server.
>>
>> I also used Tor, Exit Nodes located in different countries, and was
>> still NOT able to reproduce the error.
>>
>> Have you been in touch with Akamai regarding this issue? What did they say?
>>
>> They are considered 'premium' for a reason I hope.
>>
>> On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams <neil@xxxxxxxxxx> wrote:
>>> Two additional reports, this time specifically of cert errors:
>>>
>>> http://redd.it/jak59
>>> http://redd.it/jb27e
>>>
>>> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams <neil@xxxxxxxxxx> wrote:
>>>>> Neil, can you please post to the Rules Mailing List next time
>>>>
>>>> My apologies.
>>>>
>>>>>
>>>>> pay.reddit.com works fine for me....
>>>>>
>>>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>>>>>
>>>>> Can you also point out where exactly (which URL) there is a bug when
>>>>> the current ruleset is used?
>>>>>
>>>>
>>>> There have been a flood of reports of SSL certificate issues when
>>>> using pay.reddit.com in the last few days. In most of the cases I've
>>>> seen, it's because they're using HTTPS Everywhere and it's using
>>>> pay.reddit.com. You can see the reports here:
>>>>
>>>> http://www.reddit.com/search?q=pay.reddit.com
>>>>
>>>> My understanding is that it's related to our CDN, Akamai, and so it
>>>> may vary based on which edge server you get and whether or not you're
>>>> logged in.
>>>>
>>>>> The reasons for using HTTPS are many including to prevent snooping on
>>>>> the TOR Network.
>>>>
>>>> I completely agree that HTTPS is the way to go and we will make it
>>>> available to all as soon as our infrastructure is configured to do it
>>>> without causing issues for our users. At the moment, it only works on
>>>> a subset of pages that are disallowed from using edge-caching (the pay
>>>> pages which are used for credit card processing).
>>>>
>>>>> Removing/Disabling the whole site (when it is working) goes against
>>>>> all the principles that EFF stands for. Unless it doesn't work it
>>>>> should not be removed.
>>>>
>>>> I'm asking for the rules to be disabled because it's causing issues
>>>> for our users as is amply supported by the many complaints on our
>>>> site, not because we disagree with the use of HTTPS.
>>>>
>>>
>>
>
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk