[HTTPS-E Rulesets] More ruleset comments

Sun Sep 25 21:48:38 PDT 2011

To whom it may concern:

No attachments this time, just a plain-English explanation of the
suggested changes. Sorry for not mentioning these in time for 1.0.2 /
2.0development.1 as I have still been busy. I am currently using the
stable build and do not have a lot of time to test the development
build.

--The following apply to rulesets shipped in stable builds--
Bloglines and EPEAT remain broken for me, with the symptoms unchanged
from my last report. (Reminder: The symptoms are a general connection
failure for Bloglines and ssl_error_rx_record_too_long for EPEAT. I
have no problem accessing these sites in plain HTTP, so I believe
nothing is specifically blocking these sites. I haven't changed any
configs that might specifically cause this problem.)

Dr. Web has a comment that states "includes plaintext from st. drweb.
com," which I assume is obsoleted by the rule and target that are
currently present for that domain. Please remove the comment if
appropriate.

Flickr has recently added HTTPS support for the farm#. static. flickr.
com servers used to hold image content. (Valid digits include at least
1 through 7, but I'm not sure this is comprehensive.) Such a rule is
mainly to protect third-party use of the images - it would not fix
mixed content on secure. flickr. com itself, on which l. yimg. com is
the offender.

Concerning the Wikipedia ruleset, the second-level domain wikisource.
org has actual wiki content. The secure equivalent is https ://
secure. wikimedia. org/wikipedia/sources/ . This should be handled by
a pair of rules for $ and (w|wiki)/, similar to what I submitted for
mediawiki. org and wikimediafoundation. org, except that (www\.)?
should not be included. (This fixes mixed content on language-specific
Wikisources, which load some CSS/JS from wikisource. org.)

--The following apply to rulesets NOT yet shipped in stable builds--
Concerning the dev version of the UCSD ruleset, please add a trivial
target and rule for aventeur. ucsd. edu to the first section
("normally https only"). ("Trivial" means "simply rewrite http to
https on the exact domain")

Concerning my previously submitted Caltech ruleset, please add a
trivial target and rule for tqfr. caltech. edu to the first section
("normally https only").

Concerning my previously submitted YouTube (partial) ruleset, please
add "api/moderator" and "subscription" to the list of safe URL items -
that is, the rule containing (all_comments|api/moderator|artist| ...
("subscription" is short for "subscription_center"; using a shorter
word to cover possible variants/future changes. Again, this is just
for informational purposes - I'm aware this ruleset might never be
shipped as submitted)

--New ruleset: Binaryturf--
hxxp obfuscation has been used in the "from" fields of the rule
elements to prevent hyperlinking of URL parts. Elsewhere, only
extraneous spacing is used for this purpose. Obviously, I've left out
some basic XML syntax for brevity / to avoid attracting suspicion from
anti-malware systems.

target host="binaryturf. com" /
target host="www. binaryturf. com" /
target host="forums. binaryturf. com" /
rule from="^hxxp://(www\.)?binaryturf\.com/" to="https :// www.
binaryturf. com/" /
rule from="^hxxp://forums\.binaryturf\.com/$" to="https :// www.
binaryturf. com/forum/" /

forums. binaryturf. com is just a redirector and should not have any
(working) subpages to the best of my knowledge.

Again, thank you for your time and help.

C. Liu