[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: HTTPS Everywhere Firefox addon

andrew@xxxxxxxxxxxxxx writes:

> On Thu, May 27, 2010 at 07:34:01PM -0700, mikeperry@xxxxxxxxxx wrote 1.7K bytes in 51 lines about:
> : The eventual idea is to allow an Adblock Plus style model, where users
> : can submit and exchange rule files and eventually create subscriptions
> : for the sites they use that partially support SSL.
> Perhaps this is a dumb question, why not try the https:// version of
> every http site the user requests?  If it works, reload to the https
> url.  

Three examples of sites that are broken by this are Google,
Facebook, and LibraryThing, simply because they violate the
assumption that the HTTPS and HTTP sites are sufficiently
identical to be used interchangeably.  We think there are
several others out there like this.

In fact there are many potential concerns about sites that
expose only a _portion_ of their resources in HTTPS, or that
provide different things in the HTTPS and HTTP versions.
This basically goes to the question of what "if it works" means.

Peter points out that many virtual hosters don't yet support
SNI, which means that name-based virtual hosts that are
distinct in HTTP won't appear distinct in HTTPS (and users
who access those hosts via HTTPS will get a single default
site in place of several distinct sites).  In that case the
content will be extremely different, and wrong, but the site
will still return an HTTP 200 OK.

The presence of a regular expression-based rewrite rule in
HTTPS Everywhere basically connotes that a human being checked
out the site a bit and believes that the particular resources
covered by the rule are safe to rewrite this way, without
breaking other things.

Seth Schoen
Senior Staff Technologist                         schoen@xxxxxxx
Electronic Frontier Foundation                    http://www.eff.org/
454 Shotwell Street, San Francisco, CA  94110     +1 415 436 9333 x107
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/