[HTTPS-E Rulesets] linuxfoundation.org

Seth David Schoen schoen at eff.org
Tue Feb 7 15:51:15 PST 2012


Mats Wichmann writes:

> The Linux Foundation has relaunched their services with a redirection
> scheme which breaks https-everywhere - at least for me, I assume my
> browser setup is not somehow unique. What seems to be happening is
> things drop into a redirection loop between the browser and the server
> and things eventually just time out. They're apparently not going to
> make adjustments:
> 
> ===
> Thanks for reporting this.  The behavior to force anonymous traffic to
> http was intentional, and since the site's behavior is compliant with
> standard browsers I don't think it's embarrassing to have them remove us
> from their ruleset.  (We use https for logged in users with a
> secure-only flag on the cookie  to circumvent session hijacking, which I
> assume is one of the purposes of https-everywhere.)
> ===

I don't agree with their reasoning at the highest level of generality,
for at least three reasons:

(1) People can still have privacy concerns about accessing information
that is completely public.  Wikipedia provides a clear example, because
even though everything hosted there is public, readers might not want
other people to know which articles they're reading and which topics
they're interested in.  In fact the same situation could apply to the
Linux Foundation's pages, because they have information with different
kinds of business advice for different Linux users and prospective
partners of the Linux Foundation, and sometimes readers could consider
their interest in particular information there sensitive.

(2) Active attackers can alter the content of any non-HTTPS page, like

http://www.ex-parrot.com/~pete/upside-down-ternet.html

(3) If the site is ever delivered over HTTP, active attackers can steal
users' passwords through SSL stripping even though the login page is
meant to be delivered over HTTPS.

http://www.thoughtcrime.org/software/sslstrip/

I realize that you're not the Linux Foundation and you're just reporting
on what they're doing, though.

> I read that https-everywhere is supposed to be able to work with sites
> that redirect everything back to http:// so not sure if the rule should
> be different, or if they need to be taught how to set up the site more
> appropriately.
> 
> Again: there is a ruleset for linuxfoundation.org, but the site has been
> completely relaunched since that was put in place.

It still works with the current site; if a site sends a redirect from
the HTTPS resource to an equivalent HTTP resource, HTTPS Everywhere
won't try to rewrite the HTTP resource a second time, but will just
allow the browser to load it.  It might be making their site slower than
necessary because the browser tries to load every resource in HTTPS
first, adding an extra HTTP round-trip.  If the Linux Foundation would
prefer, we can set the rule to default_off.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107



More information about the HTTPS-Everywhere-Rules mailing list