[HTTPS-E Rulesets] reddit.com wants EFF to disable HTTPS???

Alex Xu alex_y_xu at yahoo.ca
Tue Aug 9 20:00:40 PDT 2011


Ah. I appear to have *sort-of* found the issue.

The problem appears to stem from a conflict between the commonly used 
Greasemonkey extension "Reddit Enhancement Suite", otherwise known as 
RES, and HTTPS-Everywhere. http://reddit.honestbleeps.com/

RES injects a style tag into the head of all Reddit pages. This style 
tag references several images on http://thumbs.reddit.com/ using the 
remote image capability (forgive me for the likely incorrect 
name)—accessed using url("")—of CSS.

Now, I'm not entirely sure what goes wrong here, as the images are 
loaded using regular HTTP. However, even with the Reddit rules (both of 
them) disabled, Firefox seems to complain that www.reddit.com:443 uses 
an invalid SSL certificate—this is *technically* correct, as it is 
signed for Akamai's site, not Reddit's.

Just to be sure, I disabled RES and navigated to 
https://pay.reddit.com/. No errors occurred.

This could be solved by disabling RES entirely, but that would disable a 
lot of functionality and annoy many users. The images could also be 
loaded statically using data URIs, but I'm not sure that's the solution 
either.

More investigation, including into why the images are loading using SSL 
despite Reddit rules being disabled, is needed to find the root cause of 
the problem and hopefully fix it, even if the Reddit rule is eventually 
disabled anyways due to other concerns.

On 2011-08-09 1:47 PM, Peter Eckersley wrote:
> Hi Neil,
>
> Despite the diversity of views in the project's open source ocmmunity, we
> were, and are still, planning to push an update that disables the ruleset.
> That will probably happen today.
>
> There is a small possibility that it isn't the Reddit ruleset itself, but in fact
> some other ruleset related to 3rd party content on the reddit site, that is
> causing these reported problems.  I guess we'll find out if you continue to
> receive reports of this cert warning for users who have upgraded to the
> forthcoming 1.0.1 release.
>
> On Mon, Aug 08, 2011 at 06:55:30PM -0700, Neil Williams wrote:
>> I'm not really sure what you want me to say here, Victor. We continue
>> to get complaints from users of your extension (another example since
>> the last email: http://redd.it/jb6ek). Our mainline HTTPS support is
>> not going to change in the near future (it's a medium-term goal). So
>> since you're adamant about not removing the rule, we're going to have
>> to continue telling our users that HTTPS Everywhere is at fault for
>> sending them to a system not designed for their traffic, and probably
>> will end up blocking the requests altogether, though I'm loathe to do
>> either of those things.
>>
>> On Sun, Aug 7, 2011 at 12:06 AM, Victor Garin<vic.garin at gmail.com>  wrote:
>>> As of this time, its working for me.
>>>
>>> I can access Reddit via https://pay.reddit.com/ with out any Cert errors.
>>>
>>> I even signed up for an account right now there, and was able to use
>>> Reddit perfectly fine using https://pay.reddit.com/ server.
>>>
>>> I also used Tor, Exit Nodes located in different countries, and was
>>> still NOT able to reproduce the error.
>>>
>>> Have you been in touch with Akamai regarding this issue? What did they say?
>>>
>>> They are considered 'premium' for a reason I hope.
>>>
>>> On Sat, Aug 6, 2011 at 11:38 PM, Neil Williams<neil at reddit.com>  wrote:
>>>> Two additional reports, this time specifically of cert errors:
>>>>
>>>> http://redd.it/jak59
>>>> http://redd.it/jb27e
>>>>
>>>> On Sat, Aug 6, 2011 at 11:32 PM, Neil Williams<neil at reddit.com>  wrote:
>>>>>> Neil, can you please post to the Rules Mailing List next time
>>>>>
>>>>> My apologies.
>>>>>
>>>>>>
>>>>>> pay.reddit.com works fine for me....
>>>>>>
>>>>>> www.reddit.com == pay.reddit.com same content in HTTPS.
>>>>>>
>>>>>> Can you also point out where exactly (which URL) there is a bug when
>>>>>> the current ruleset is used?
>>>>>>
>>>>>
>>>>> There have been a flood of reports of SSL certificate issues when
>>>>> using pay.reddit.com in the last few days. In most of the cases I've
>>>>> seen, it's because they're using HTTPS Everywhere and it's using
>>>>> pay.reddit.com. You can see the reports here:
>>>>>
>>>>> http://www.reddit.com/search?q=pay.reddit.com
>>>>>
>>>>> My understanding is that it's related to our CDN, Akamai, and so it
>>>>> may vary based on which edge server you get and whether or not you're
>>>>> logged in.
>>>>>
>>>>>> The reasons for using HTTPS are many including to prevent snooping on
>>>>>> the TOR Network.
>>>>>
>>>>> I completely agree that HTTPS is the way to go and we will make it
>>>>> available to all as soon as our infrastructure is configured to do it
>>>>> without causing issues for our users. At the moment, it only works on
>>>>> a subset of pages that are disallowed from using edge-caching (the pay
>>>>> pages which are used for credit card processing).
>>>>>
>>>>>> Removing/Disabling the whole site (when it is working) goes against
>>>>>> all the principles that EFF stands for. Unless it doesn't work it
>>>>>> should not be removed.
>>>>>
>>>>> I'm asking for the rules to be disabled because it's causing issues
>>>>> for our users as is amply supported by the many complaints on our
>>>>> site, not because we disagree with the use of HTTPS.
>>>>>
>>>>
>>>
>



More information about the HTTPS-Everywhere-Rules mailing list