[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #2199 [EFF-HTTPS Everywhere]: rules with [^/@:] don't catch all traffic
#2199: rules with [^/@:] don't catch all traffic
----------------------------------+-----------------------------------------
Reporter: dkg | Owner: pde
Type: defect | Status: new
Priority: normal | Milestone:
Component: EFF-HTTPS Everywhere | Version:
Keywords: | Parent:
----------------------------------+-----------------------------------------
Comment(by dkg):
Yes, i'm sure. visiting the URLs directly will trigger firefox's
confirmation prompt, but i'm concerned more about the embedded img src's
which don't seem to be prompted for.
I've placed the following code
[http://lair.fifthhorseman.net/~dkg/personal/https-everywhere-2199.html
online]:
{{{
<html>
<head>
<title>a test</title>
</head>
<body>
<!-- this first one gets loaded in the clear -->
<img src="http://www@xxxxxxxxxxxxxx/nduck.v104.png"; />
<!-- https-everywhere intercepts this one and sends it out over https -->
<img src="http://duckduckgo.com/nduck.v104.png"; />
</body>
</html>
}}}
If you have firebug installed, open up the net console, and visit
[http://lair.fifthhorseman.net/~dkg/personal/https-everywhere-2199.html
the example] (The net console might close when you switch domains. just
re-open it and refresh the page with ctrl-shift-R)
you should see one request to the duckduckgo servers in the clear (HTTP)
and another one encrypted (HTTPS).
tcpdump + wireshark confirms this behavior for me on a debian squeeze
system with https-everywhere 0.9.0 installed and the duckduckgo rule
enabled.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/2199#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs