[HTTPS-E Rulesets] reddit.com wants EFF to disable HTTPS???

Neil Williams neil at reddit.com
Mon Aug 8 18:55:30 PDT 2011


I'm not really sure what you want me to say here, Victor. We continue
to get complaints from users of your extension (another example since
the last email: http://redd.it/jb6ek). Our mainline HTTPS support is
not going to change in the near future (it's a medium-term goal). So
since you're adamant about not removing the rule, we're going to have
to continue telling our users that HTTPS Everywhere is at fault for
sending them to a system not designed for their traffic, and probably
will end up blocking the requests altogether, though I'm loathe to do
either of those things.

On Sun, Aug 7, 2011 at 12:06 AM, Victor Garin <vic.garin at gmail.com> wrote:
> As of this time, its working for me.
>
> I can access Reddit via https://pay.reddit.com/ with out any Cert errors.
>
> I even signed up for an account right now there, and was able to use
> Reddit perfectly fine using https://pay.reddit.com/ server.
>
> I also used Tor, Exit Nodes located in different countries, and was
> still NOT able to reproduce the error.
>
> Have you been in touch with Akamai regarding this issue? What did they say?
>
> They are considered 'premium' for a reason I hope.
>
> On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams <neil at reddit.com> wrote:
>> Two additional reports, this time specifically of cert errors:
>>
>> http://redd.it/jak59
>> http://redd.it/jb27e
>>
>> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams <neil at reddit.com> wrote:
>>>> Neil, can you please post to the Rules Mailing List next time
>>>
>>> My apologies.
>>>
>>>>
>>>> pay.reddit.com works fine for me....
>>>>
>>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>>>>
>>>> Can you also point out where exactly (which URL) there is a bug when
>>>> the current ruleset is used?
>>>>
>>>
>>> There have been a flood of reports of SSL certificate issues when
>>> using pay.reddit.com in the last few days. In most of the cases I've
>>> seen, it's because they're using HTTPS Everywhere and it's using
>>> pay.reddit.com. You can see the reports here:
>>>
>>> http://www.reddit.com/search?q=pay.reddit.com
>>>
>>> My understanding is that it's related to our CDN, Akamai, and so it
>>> may vary based on which edge server you get and whether or not you're
>>> logged in.
>>>
>>>> The reasons for using HTTPS are many including to prevent snooping on
>>>> the TOR Network.
>>>
>>> I completely agree that HTTPS is the way to go and we will make it
>>> available to all as soon as our infrastructure is configured to do it
>>> without causing issues for our users. At the moment, it only works on
>>> a subset of pages that are disallowed from using edge-caching (the pay
>>> pages which are used for credit card processing).
>>>
>>>> Removing/Disabling the whole site (when it is working) goes against
>>>> all the principles that EFF stands for. Unless it doesn't work it
>>>> should not be removed.
>>>
>>> I'm asking for the rules to be disabled because it's causing issues
>>> for our users as is amply supported by the many complaints on our
>>> site, not because we disagree with the use of HTTPS.
>>>
>>
>



More information about the HTTPS-Everywhere-Rules mailing list