<br><br><div class="gmail_quote">On Fri, Apr 20, 2012 at 3:23 PM, Peter Eckersley <span dir="ltr"><<a href="mailto:pde@eff.org">pde@eff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Fri, Apr 13, 2012 at 07:18:08PM -0700, Greg Lindahl wrote:<br>
> On Fri, Mar 30, 2012 at 01:47:19AM -0400, mezzanine@Safe-mail.net wrote:<br>
><br>
> > Of possible interest, it appears that the Blekko search engine<br>
> > automatically rewrites some of its search results<br>
><br>
> Indeed, we are. Most of our rewrites come out of the HTTPS Everywhere<br>
> rulesets, thanks! We think this is a way to improve privacy for a lot<br>
> more people than just those who might download a browser<br>
> extension. We've defaulted this feature on in our search engine for a<br>
> long time now.<br>
><br>
> We have a button people can push to complain when we've broken the web<br>
> for them. We get a few complaints a day, mostly from countries which I<br>
> imagine are pretty enthusiastic at blocking encrypted access to<br>
> naughty websites (like facebook, youtube, etc.) I generally email such<br>
> people and they never reply back: probably most of them don't speak<br>
> English.<br>
><br>
> I got one a few days ago from someone in the Dominican Republic, who<br>
> pushed the "this link is broken" button 3 times on a YouTube link, and<br>
> once added a comment in Spanish that clearly said that all YouTube<br>
> links were broken. The link worked for me. He also didn't respond to<br>
> my email with an attempt at Spanish, but I thought I'd mention it<br>
> here: do you guys have any idea how much breakage is being caused by<br>
> https blocks in various countries?<br>
<br>
We do not have this dataset, but I was at a hackathon last weekend where Dan<br>
Kaminksy showed a nifty hack that Blekko /might/ be able to use to collect<br>
this data itself under certain circumstances. If you embedd a simple image<br>
(such as a favicon, maybe with a query parameter to prevent caching) from a<br>
site, you can use CSS introspection to see if each copy loaded. Do this for<br>
http and https in parallel, and you'll spot differential blocking.<br></blockquote><div><br></div><div>It's not CSS introspection; you basically create a new image with onload and onerror handlers, then set the src to favicon.ico. See <a href="http://censorsweeper.com">censorsweeper.com</a>.</div>
<div><br></div><div>Peter, that's a hilarious use of my hack, and it'll totally work.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
There are a couple of arguments against doing this for your users at random:<br>
<br>
1. It will cause them to make requests to YouTube/Twitter/Facebook, which<br>
causes some privacy loss (especially if you don't have a way to #scrub the<br>
search terms from the referrer, and if the user has browser link prefetching<br>
disabled)<br></blockquote><div><br></div><div>Referer is blocked to HTTPS, at least.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
2. If the user is searching over HTTPS, it will cause a mixed content issue.<br>
But this could be worked-around by only doing it for HTTP users (people who<br>
search Blekko over HTTPS might be using HTTPS Everywhere anyway, which would<br>
mess up the HTTP/HTTPS differential aspect of the test results).<br></blockquote><div><br></div><div>I think maybe you can hide the mixed content warnings if you do this in an invisible iframe. Images and mixed content have very weird policies.</div>
<div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
You could also do this test for users when they click "report broken link", or<br>
an ad saying "test your network with Blekko", etc, although your sample size<br>
will be much smaller.<br>
<br>
><br>
> The set of urls which attract complaints is very limited: facebook,<br>
> twitter, and youtube. Of course, these are the most popular searches<br>
> at all search engines, "navigational" searches.<br>
><br>
> -- greg<br>
><br>
> _______________________________________________<br>
> HTTPS-everywhere mailing list<br>
> <a href="mailto:HTTPS-everywhere@mail1.eff.org">HTTPS-everywhere@mail1.eff.org</a><br>
> <a href="https://mail1.eff.org/mailman/listinfo/https-everywhere" target="_blank">https://mail1.eff.org/mailman/listinfo/https-everywhere</a><br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Peter Eckersley <a href="mailto:pde@eff.org">pde@eff.org</a><br>
Technology Projects Director Tel <a href="tel:%2B1%20415%20436%209333%20x131" value="+14154369333">+1 415 436 9333 x131</a><br>
Electronic Frontier Foundation Fax <a href="tel:%2B1%20415%20436%209993" value="+14154369993">+1 415 436 9993</a><br>
</font></span></blockquote></div><br>