[HTTPS-E Rulesets] Exception to HTTPs Everywhere

[Peter Eckersley]

Hi Ted,

I don't think that any existing problems at w3.org should be caused by HTTPS
Everywhere, because we don't currently ship a ruleset for the W3C!  It's
possible that it's HTTPS Finder, KB SSL Enforcer, or some other browser
extension that probes HTTPS for every domain.

Of course, if you would /like/ to write a rulesets for the subdomains of
w3.org that support HTTPS we'd be happy to ship it ;).  The syntax is
documented here:

https://www.eff.org/https-everywhere

Discussion about and submission of rulesets happens on this mailing list:

https://mail1.eff.org/mailman/listinfo/https-everywhere-rules


On Sun, May 15, 2011 at 03:54:27PM +0200, Ted Guild wrote:
> Peter,
> 
> We are getting ready to deploy selective SSL switching at W3C. Whenever
> credentials are required or content is intended to be confidential our
> access control system will automatically redirect the user to the
> corresponding HTTPS uri.  Any content that is open to the public and
> doesn't send session data will be served via HTTP, redirecting to HTTP
> if the user accesses a HTTPS link (eg following a relative link).
> 
> While many sites send information they shouldn't in the clear, we are
> going to apply SSL correctly.  We get an excessive amount of traffic (up
> to 1/2 billion per day for DTD and schemata alone) and would rather not
> have to serve content more costly through SSL than we have to.  As such
> please add w3.org to an exception list so that HTTPs Everywhere does not
> compete with our server side redirection.
> 
> We are already finding issues with our SSL switching scheme and
> unintended traffic from HTTPs Everywhere before we put this SSL
> switching into full production.
> 
> Regards,
> 
> -- 
> Ted Guild <ted at w3.org>
> W3C Systems Team
> http://www.w3.org
> 
> 

-- 
Peter Eckersley                            pde at eff.org
Senior Staff Technologist         Tel  +1 415 436 9333 x131
Electronic Frontier Foundation    Fax  +1 415 436 9993