[HTTPS-E Rulesets] reddit.com wants EFF to disable HTTPS???

Neil Williams neil at reddit.com
Tue Aug 9 11:00:21 PDT 2011 

Hi Peter,

Thanks for the update. I'll let you know if the reports continue and
we'll let you know as soon as we have real HTTPS available.

- Neil

On Tue, Aug 9, 2011 at 10:47 AM, Peter Eckersley <pde at eff.org> wrote:
> Hi Neil,
>
> Despite the diversity of views in the project's open source ocmmunity, we
> were, and are still, planning to push an update that disables the ruleset.
> That will probably happen today.
>
> There is a small possibility that it isn't the Reddit ruleset itself, but in fact
> some other ruleset related to 3rd party content on the reddit site, that is
> causing these reported problems.  I guess we'll find out if you continue to
> receive reports of this cert warning for users who have upgraded to the
> forthcoming 1.0.1 release.
>
> On Mon, Aug 08, 2011 at 06:55:30PM -0700, Neil Williams wrote:
>> I'm not really sure what you want me to say here, Victor. We continue
>> to get complaints from users of your extension (another example since
>> the last email: http://redd.it/jb6ek). Our mainline HTTPS support is
>> not going to change in the near future (it's a medium-term goal). So
>> since you're adamant about not removing the rule, we're going to have
>> to continue telling our users that HTTPS Everywhere is at fault for
>> sending them to a system not designed for their traffic, and probably
>> will end up blocking the requests altogether, though I'm loathe to do
>> either of those things.
>>
>> On Sun, Aug 7, 2011 at 12:06 AM, Victor Garin <vic.garin at gmail.com> wrote:
>> > As of this time, its working for me.
>> >
>> > I can access Reddit via https://pay.reddit.com/ with out any Cert errors.
>> >
>> > I even signed up for an account right now there, and was able to use
>> > Reddit perfectly fine using https://pay.reddit.com/ server.
>> >
>> > I also used Tor, Exit Nodes located in different countries, and was
>> > still NOT able to reproduce the error.
>> >
>> > Have you been in touch with Akamai regarding this issue? What did they say?
>> >
>> > They are considered 'premium' for a reason I hope.
>> >
>> > On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams <neil at reddit.com> wrote:
>> >> Two additional reports, this time specifically of cert errors:
>> >>
>> >> http://redd.it/jak59
>> >> http://redd.it/jb27e
>> >>
>> >> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams <neil at reddit.com> wrote:
>> >>>> Neil, can you please post to the Rules Mailing List next time
>> >>>
>> >>> My apologies.
>> >>>
>> >>>>
>> >>>> pay.reddit.com works fine for me....
>> >>>>
>> >>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>> >>>>
>> >>>> Can you also point out where exactly (which URL) there is a bug when
>> >>>> the current ruleset is used?
>> >>>>
>> >>>
>> >>> There have been a flood of reports of SSL certificate issues when
>> >>> using pay.reddit.com in the last few days. In most of the cases I've
>> >>> seen, it's because they're using HTTPS Everywhere and it's using
>> >>> pay.reddit.com. You can see the reports here:
>> >>>
>> >>> http://www.reddit.com/search?q=pay.reddit.com
>> >>>
>> >>> My understanding is that it's related to our CDN, Akamai, and so it
>> >>> may vary based on which edge server you get and whether or not you're
>> >>> logged in.
>> >>>
>> >>>> The reasons for using HTTPS are many including to prevent snooping on
>> >>>> the TOR Network.
>> >>>
>> >>> I completely agree that HTTPS is the way to go and we will make it
>> >>> available to all as soon as our infrastructure is configured to do it
>> >>> without causing issues for our users. At the moment, it only works on
>> >>> a subset of pages that are disallowed from using edge-caching (the pay
>> >>> pages which are used for credit card processing).
>> >>>
>> >>>> Removing/Disabling the whole site (when it is working) goes against
>> >>>> all the principles that EFF stands for. Unless it doesn't work it
>> >>>> should not be removed.
>> >>>
>> >>> I'm asking for the rules to be disabled because it's causing issues
>> >>> for our users as is amply supported by the many complaints on our
>> >>> site, not because we disagree with the use of HTTPS.
>> >>>
>> >>
>> >
>
> --
> Peter Eckersley                            pde at eff.org
> Senior Staff Technologist         Tel  +1 415 436 9333 x131
> Electronic Frontier Foundation    Fax  +1 415 436 9993
>

More information about the HTTPS-Everywhere-Rules mailing list