[HTTPS-E Rulesets] Pull request for 4 new/updated rules; and an idea for coping with bad certificate CN/untrusted CAs/self-signed certs
Peter Eckersley
pde at eff.org
Mon Apr 30 11:02:18 PDT 2012
On Sun, Apr 29, 2012 at 03:19:37PM +0200, Ondrej Mikle wrote:
> On 04/29/2012 06:13 AM, Peter Eckersley wrote:
> > On Sat, Apr 28, 2012 at 04:52:02PM +0200, Ondrej Mikle wrote:
> >
> >> One question towards secure cookies: The reddit.com rule needs to define
> >> <target host=".reddit.com">, otherwise some of the cookies won't be switched
> >> to secure. Though I haven't seen anything like that in any other rule. Some
> >> weird anomaly?
> >
> > ".reddit.com" is not a valid target host; it won't match anything.
>
> Actually it does. Either of these <target> elements work with the securecookie
> rule (tried 2.0.3 and latest 3.0.x master HEAD
> e0980ca1a78188836d2164b5c0c99079a63a4c97):
>
> <target host="*.reddit.com"/>
> <target host=".reddit.com"/>
The second line won't be the reason it works. The <target host> attributes
are stored here:
https://gitweb.torproject.org/https-everywhere.git/blob/master:/src/chrome/content/code/HTTPSRules.js#l310
And the host portions of URLs are matched against them here:
https://gitweb.torproject.org/https-everywhere.git/blob/master:/src/chrome/content/code/HTTPSRules.js#l492
I'm pretty sure that ".reddit.com" could only be matched by that code if you
were able to get the browser to fetch a http://.reddit.com URL.
In fact I think that <target host=".reddit.com"> will actually cause the build
scripts to fail if you have xmllint installed.
--
Peter Eckersley pde at eff.org
Technology Projects Director Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993
More information about the HTTPS-Everywhere-Rules
mailing list