[HTTPS-E Rulesets] [HTTPS-Everywhere] reddit.com wants EFF to disable HTTPS???
Maxim Nazarenko
nz.phone at mail.ru
Mon Aug 8 19:35:46 PDT 2011
I must add that Perspectives addon (
https://addons.mozilla.org/en-US/firefox/addon/perspectives/ ) is very
useful to deal with self-signed certificates. And if you want more
security, you should probably install Certificate Patrol (
https://addons.mozilla.org/en-US/firefox/addon/certificate-patrol/ ).
I use both of them and tend to enable most of the rules -- checking a
certificate once is better than no SSL at all, IMHO.
Best regards,
Maxim Nazarenko
On 8 August 2011 19:27, Victor Garin <vic.garin at gmail.com> wrote:
> There are currently 2 Rules for Reddit.
>
> Default is off for Reddit+, which I believe (not checked the actual
> code) forces HTTPS to use the following domains:
> https://www.reddit.com and/or https://reddit.com
>
> If I go to the above 2 domains I do get Cert mismatch error (and asks
> users to click "I Understand the Risks"). Because of this the above
> rule is disabled.
>
>
> The current rule which is active, forces HTTPS to go through
> https://pay.reddit.com which has a proper certificate.
>
> Based on your post on Reddit you stated that the above domain "We
> don't support HTTPS for the main site at the moment. The only purpose
> of it right now is for a specific set of pages (self-serve
> advertisement pay pages) and the fact that it works for other pages
> sometimes is an unintended side effect. "
>
> The description of this Add-on should explain the purpose of HTTPS Everywhere:
>
> "Many sites on the web offer some limited support for encryption over
> HTTPS, but make it difficult to use. For instance, they may default to
> unencrypted HTTP, or fill encrypted pages with links that go back to
> the unencrypted site.
>
> The HTTPS Everywhere extension fixes these problems by rewriting all
> requests to these sites to HTTPS. Firefox users can get it by clicking
> here:"
>
> I don't see why one website should get preferential treatment.
>
> If there are specific URLs not working, we can always add it to the
> exclusion rules.
>
>
>
>
> On Mon, Aug 8, 2011 at 6:55 PM, Neil Williams <neil at reddit.com> wrote:
>> I'm not really sure what you want me to say here, Victor. We continue
>> to get complaints from users of your extension (another example since
>> the last email: http://redd.it/jb6ek). Our mainline HTTPS support is
>> not going to change in the near future (it's a medium-term goal). So
>> since you're adamant about not removing the rule, we're going to have
>> to continue telling our users that HTTPS Everywhere is at fault for
>> sending them to a system not designed for their traffic, and probably
>> will end up blocking the requests altogether, though I'm loathe to do
>> either of those things.
>>
>> On Sun, Aug 7, 2011 at 12:06 AM, Victor Garin <vic.garin at gmail.com> wrote:
>>> As of this time, its working for me.
>>>
>>> I can access Reddit via https://pay.reddit.com/ with out any Cert errors.
>>>
>>> I even signed up for an account right now there, and was able to use
>>> Reddit perfectly fine using https://pay.reddit.com/ server.
>>>
>>> I also used Tor, Exit Nodes located in different countries, and was
>>> still NOT able to reproduce the error.
>>>
>>> Have you been in touch with Akamai regarding this issue? What did they say?
>>>
>>> They are considered 'premium' for a reason I hope.
>>>
>>> On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams <neil at reddit.com> wrote:
>>>> Two additional reports, this time specifically of cert errors:
>>>>
>>>> http://redd.it/jak59
>>>> http://redd.it/jb27e
>>>>
>>>> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams <neil at reddit.com> wrote:
>>>>>> Neil, can you please post to the Rules Mailing List next time
>>>>>
>>>>> My apologies.
>>>>>
>>>>>>
>>>>>> pay.reddit.com works fine for me....
>>>>>>
>>>>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>>>>>>
>>>>>> Can you also point out where exactly (which URL) there is a bug when
>>>>>> the current ruleset is used?
>>>>>>
>>>>>
>>>>> There have been a flood of reports of SSL certificate issues when
>>>>> using pay.reddit.com in the last few days. In most of the cases I've
>>>>> seen, it's because they're using HTTPS Everywhere and it's using
>>>>> pay.reddit.com. You can see the reports here:
>>>>>
>>>>> http://www.reddit.com/search?q=pay.reddit.com
>>>>>
>>>>> My understanding is that it's related to our CDN, Akamai, and so it
>>>>> may vary based on which edge server you get and whether or not you're
>>>>> logged in.
>>>>>
>>>>>> The reasons for using HTTPS are many including to prevent snooping on
>>>>>> the TOR Network.
>>>>>
>>>>> I completely agree that HTTPS is the way to go and we will make it
>>>>> available to all as soon as our infrastructure is configured to do it
>>>>> without causing issues for our users. At the moment, it only works on
>>>>> a subset of pages that are disallowed from using edge-caching (the pay
>>>>> pages which are used for credit card processing).
>>>>>
>>>>>> Removing/Disabling the whole site (when it is working) goes against
>>>>>> all the principles that EFF stands for. Unless it doesn't work it
>>>>>> should not be removed.
>>>>>
>>>>> I'm asking for the rules to be disabled because it's causing issues
>>>>> for our users as is amply supported by the many complaints on our
>>>>> site, not because we disagree with the use of HTTPS.
>>>>>
>>>>
>>>
>>
> _______________________________________________
> HTTPS-everywhere mailing list
> HTTPS-everywhere at mail1.eff.org
> https://mail1.eff.org/mailman/listinfo/https-everywhere
>
More information about the HTTPS-Everywhere-Rules
mailing list