[HTTPS-E Rulesets] Comments on multiple rulesets (Jan-3)
Christopher Liu
cmliu00151 at gmail.com
Tue Jan 3 16:16:28 PST 2012
To whom it may concern:
My comments are sorted alphabetically by name of ruleset this time.
Some may refer to my previous submissions which are not yet in the
stable builds. Again, sorry that I haven't been keeping up with the
development builds.
Caltech:
I merged two regexes into one (regarding www_alumni and mail_alumni)
in a way that does not change functionality. I have also clarified
some comments, which is why this is attached.
Microsoft:
I understand that the exclusion containing "FamilyID" fixes old-style
download pages which would break in https. However, I have seen search
engines return results that contain "familyid" (in all lowercase), so
the exclusion should account for that too.
Also, here is a partial rule for support.microsoft.com, covering some
images which I know to support https (fix hxxp, spacing and add angle
brackets):
rule from="^hxxp://support\.microsoft\.com/library/images/support/"
to="hxxps :// support. microsoft. com/library/images/support/"
NYTimes:
Please add myaccount. nytimes. com (it seems already to enforce https,
but it still deserves protection against sslstrip)
Nokia:
Please add bugreports. qt. nokia. com (it seems already to enforce
https, but it still deserves protection against sslstrip)
Pastebin.ca:
My request to disable this ruleset still stands, although my earlier
comments were incorrect about the site being defunct. Currently it
works in plain http, but no https connection can be established.
UCSD:
I added gradapply. ucsd. edu and ucsdbkst. ucsd. edu to the first
section ("normally https only"). I added bookstore. ucsd. edu to the
second section ("supports https but doesn't enforce..."). The cert
doesn't seem to be valid for www. bookstore. ucsd. edu so I redirected
it to the domain without www.
www-cse. ucsd. edu actually exists on 6 domains (www DOT, www HYPHEN,
or neither; cs or cse) which are all SubjectAltNames in the same
certificate and all work properly. I have also clarified some
comments, which is why this is attached.
Thank you for your time and help.
C. Liu
-------------- next part --------------
<ruleset name="Caltech">
<!-- My ability to test is limited in that I have graduated from Caltech.
If a problem is reported, please be nice and try to avoid disabling
the entire ruleset by default (instead consider splitting access and
www.its into another ruleset while the rest is being fixed up).
to investigate: www.gradoffice.caltech.edu -->
<!-- normally https only; protect against sslstripping -->
<target host="access.caltech.edu" />
<target host="alumni.caltech.edu" />
<target host="www.alumni.caltech.edu" />
<target host="courses.caltech.edu" />
<target host="irsecure.caltech.edu" />
<target host="mail.alumni.caltech.edu" />
<target host="tqfr.caltech.edu" />
<target host="utils.its.caltech.edu" />
<target host="webmail.caltech.edu" />
<target host="webvpn.caltech.edu" />
<!-- XXX: These sites are only for faculty and/or staff. See System Status on www.imss.caltech.edu.
Some may require Internet Explorer, so this list may not be useful.
The following need to be investigated: outlookweb, kronos, kronoslimited, fiji, jobs -->
<target host="techne1.caltech.edu" />
<target host="business-query.caltech.edu" />
<!-- <target host="solutions.sciquest.com" /> -->
<target host="nassau.caltech.edu" />
<target host="pcard.caltech.edu" />
<target host="scriptor.caltech.edu" />
<!-- These enforce https via redirection but are self-signed :-(
courses.hss contains essential course material. dabney used to have a valid cert but doesn't anymore...? -->
<target host="courses.hss.caltech.edu" />
<target host="dabney.caltech.edu" />
<!-- supports https but doesn't enforce it on all pages -->
<target host="www.its.caltech.edu" />
<!-- redirectors -->
<target host="www.access.caltech.edu" />
<target host="its.caltech.edu" />
<target host="moodle.caltech.edu" />
<rule from="^http://(www\.)?access\.caltech\.edu/" to="https://access.caltech.edu/" />
<!-- alumni.caltech.edu/~foo/bar (with any tilde-folder) redirects to alumnus.caltech.edu, which lacks https.
However, no breakage results from protecting the initial hit -->
<rule from="^http://(www\.|mail\.)?alumni\.caltech\.edu/" to="https://$1alumni.caltech.edu/" />
<rule from="^http://(courses|moodle)\.caltech\.edu/" to="https://courses.caltech.edu/" />
<!-- irsecure might no longer be used on the redesigned alumni pages -->
<rule from="^http://irsecure\.caltech\.edu/" to="https://irsecure.caltech.edu/" />
<rule from="^http://tqfr\.caltech\.edu/" to="https://tqfr.caltech.edu/" />
<rule from="^http://utils\.its\.caltech\.edu/" to="https://utils.its.caltech.edu/" />
<rule from="^http://webmail\.caltech\.edu/" to="https://webmail.caltech.edu/" />
<rule from="^http://webvpn\.caltech\.edu/" to="https://webvpn.caltech.edu/" />
<rule from="^http://techne1\.caltech\.edu/" to="https://techne1.caltech.edu/" />
<rule from="^http://business-query\.caltech\.edu:8181/" to="https://business-query.caltech.edu:8181/" />
<rule from="^http://nassau\.caltech\.edu:4444/" to="https://nassau.caltech.edu:4444/" />
<rule from="^http://pcard\.caltech\.edu/" to="https://pcard.caltech.edu/" />
<rule from="^http://scriptor\.caltech\.edu/" to="https://scriptor.caltech.edu/" />
<rule from="^http://courses\.hss\.caltech\.edu/" to="https://courses.hss.caltech.edu/" />
<rule from="^http://dabney\.caltech\.edu/" to="https://dabney.caltech.edu/" />
<rule from="^http://(www\.)?its\.caltech\.edu/" to="https://www.its.caltech.edu/" />
</ruleset>
-------------- next part --------------
<ruleset name="UCSD">
<!-- The submitter does NOT have an official position with UCSD's information technology departments. -->
<!-- quikpayasp.com (E-Check) and services.jsatech.com (TritonCash) need separate
rulesets because these domains also provide services for other universities.
Does uc.sumtotalsystems.com (ultimate destination of uclearning) belong here,
or do other UCs use it too?
-->
<!-- TODOs:
<target host="acs.ucsd.edu" /> (a few pages redirect to acms)
<target host="m.ucsd.edu" /> (mobile redirection script supports https because it is used on TritonLink)
<target host="ogs-calendar.ucsd.edu" />
<target host="students.ucsd.edu" /> (supports https for some embedded content on TritonLink)
<target host="ted.ucsd.edu" /> (probably incomplete https support)
<target host="vcsaforms.ucsd.edu" /> (hit during TritonLink logout; is is sslstrip-vulnerable anywhere?)
<target host="webct.ucsd.edu" /> (redirector; check behavior when logged in vs. out)
<target host="webctweb.ucsd.edu" /> (superseded by ted)
<target host="www-no.ucsd.edu" /> (Network Operations, used by ResNet registration etc. not sure if https enforced.
www-ono.ucsd.edu seems to exist too - Old Network Operations?)
<target host="www.ucsd.edu" /> (supports https for some embedded content on TritonLink)
My ability to test is limited in that I'm not currently enrolled in any classes that use WebCT/Ted.
Apparently TritonLink used to be called StudentLink; this info is several years old and not worth worrying about.
(See https://sites.google.com/site/ucsdecegsc/information-for-new-students/tips-for-new-students )
Some research group websites have intentionally different content on http and https, with the latter for private group use.
-->
<!-- normally https only; protect against sslstripping -->
<target host="a4.ucsd.edu" />
<target host="acs-webmail.ucsd.edu" />
<target host="altng.ucsd.edu" />
<target host="aventeur.ucsd.edu" />
<target host="cinfo.ucsd.edu" />
<target host="facilities.ucsd.edu" />
<target host="gradapply.ucsd.edu" />
<target host="graduateapp.ucsd.edu" />
<target host="myucsdchart.ucsd.edu" />
<target host="sdacs.ucsd.edu" />
<target host="shs.ucsd.edu" />
<target host="ucsdbkst.ucsd.edu" />
<!-- supports https but doesn't enforce it on all pages -->
<target host="acms.ucsd.edu" />
<target host="bookstore.ucsd.edu" />
<target host="www.bookstore.ucsd.edu" />
<target host="cs.ucsd.edu" />
<target host="www.cs.ucsd.edu" />
<target host="cse.ucsd.edu" />
<target host="www.cse.ucsd.edu" />
<target host="roger.ucsd.edu" />
<target host="uxt.ucsd.edu" />
<target host="www-cs.ucsd.edu" />
<target host="www-cse.ucsd.edu" />
<!-- only some features support https; protect them against sslstripping (not Firesheep) -->
<target host="act.ucsd.edu" />
<target host="hds.ucsd.edu" />
<target host="health.ucsd.edu" />
<target host="libraries.ucsd.edu" />
<target host="studenthealth.ucsd.edu" /><!-- Ask-A-Question enforces https, but unfortunately it is signed by ipsCA. See note below -->
<target host="www-act.ucsd.edu" />
<!-- redirectors
TODO: full Link Family list at http://blink.ucsd.edu/technology/help-desk/applications/link-family/list.html -->
<target host="accesslink.ucsd.edu" />
<target host="cri.ucsd.edu" />
<target host="desktop.ucsd.edu" />
<target host="financiallink.ucsd.edu" />
<target host="iwdc.ucsd.edu" />
<target host="marketplace.ucsd.edu" />
<target host="mytritonlink.ucsd.edu" />
<target host="www.mytritonlink.ucsd.edu" />
<target host="resnet.ucsd.edu" />
<target host="software.ucsd.edu" />
<target host="sysstaff.ucsd.edu" />
<target host="tritonlink.ucsd.edu" />
<target host="www.tritonlink.ucsd.edu" />
<target host="uclearning.ucsd.edu" />
<target host="www-acs.ucsd.edu" />
<!-- Other things could stand to have securecookie, but these are the most important:
a4 is used for login pages and some embedded scripts related to the login system. It doesn't yet flag its cookies as https-only.
acs-webmail uses at least two cookies, only one of which is normally flagged https-only. -->
<securecookie host="^(.+\.)?a(4|cs-webmail)\.ucsd\.edu$" name=".*" />
<rule from="^http://a4\.ucsd\.edu/" to="https://a4.ucsd.edu/" />
<rule from="^http://acs-webmail\.ucsd\.edu/" to="https://acs-webmail.ucsd.edu/" />
<rule from="^http://altng\.ucsd\.edu/" to="https://altng.ucsd.edu/" />
<rule from="^http://aventeur\.ucsd\.edu/" to="https://aventeur.ucsd.edu/" />
<rule from="^http://cinfo\.ucsd\.edu/" to="https://cinfo.ucsd.edu/" />
<rule from="^http://facilities\.ucsd\.edu/" to="https://facilities.ucsd.edu/" />
<rule from="^http://gradapply\.ucsd\.edu/" to="https://gradapply.ucsd.edu/" />
<rule from="^http://graduateapp\.ucsd\.edu/" to="https://graduateapp.ucsd.edu/" />
<rule from="^http://myucsdchart\.ucsd\.edu/" to="https://myucsdchart.ucsd.edu/" />
<rule from="^http://sdacs\.ucsd\.edu/" to="https://sdacs.ucsd.edu/" />
<rule from="^http://shs\.ucsd\.edu/" to="https://shs.ucsd.edu/" />
<rule from="^http://ucsdbkst\.ucsd\.edu/" to="https://ucsdbkst.ucsd.edu/" />
<rule from="^http://acms\.ucsd\.edu/" to="https://acms.ucsd.edu/" />
<rule from="^http://(www\.)?bookstore\.ucsd\.edu/" to="https://bookstore.ucsd.edu/" />
<rule from="^http://roger\.ucsd\.edu/" to="https://roger.ucsd.edu/" />
<rule from="^http://uxt\.ucsd\.edu/" to="https://uxt.ucsd.edu/" />
<rule from="^http://(www[-\.])?cs(e)?\.ucsd\.edu/" to="https://$1cs$2.ucsd.edu/" />
<!-- I may have missed something related to TritonCash activation.
The rest of hds redirects to hdh.ucsd.edu, which lacks https -->
<rule from="^http://hds\.ucsd\.edu/(ARCH_WaitList/ARCHMainMenu\.aspx|conference/RequestInfo/|HospitalityExpress)"
to="https://hds.ucsd.edu/$1" />
<rule from="^http://health\.ucsd\.edu/request_appt/"
to="https://health.ucsd.edu/request_appt/" />
<rule from="^http://libraries\.ucsd\.edu/digital/"
to="https://libraries.ucsd.edu/digital/" />
<!-- Most of studenthealth.ucsd.edu does not enforce https.
The Ask-A-Question feature, located in the folder /secure/askaquestion/, does enforce https, and it requires login (via a4 page).
As of my last update, the cert was from ipsCA, so it will cause an error. It may be replaced with a valid cert in the future.
This rule only protects against sslstripping. The cert error is NOT this rule's fault and would still occur without the rule. -->
<rule from="^http://studenthealth\.ucsd\.edu/secure/"
to="https://studenthealth.ucsd.edu/secure/" />
<!-- Link Family is migrating from www-act to act. Redirection exists. The last segment handles CamelCased names like studentDirectDeposit -->
<rule from="^http://(www-)?act\.ucsd\.edu/(bsl/home|cgi-bin/[A-Za-z]+link\.pl|marketplace-sso|mytritonlink/view|myTritonlink20|student[A-Z][A-Za-z]+/[A-Za-z]+)"
to="https://$1act.ucsd.edu/$2" />
<rule from="^http://accesslink\.ucsd\.edu/"
to="https://altng.ucsd.edu/" />
<!-- err on the side of not breaking things, hoping that no subpages are used -->
<rule from="^http://financiallink\.ucsd\.edu/$"
to="https://www-act.ucsd.edu/cgi-bin/financiallink.pl" />
<rule from="^http://marketplace\.ucsd\.edu/$"
to="https://www-act.ucsd.edu/marketplace-sso/signon" />
<rule from="^http://(www\.)?(my)?tritonlink\.ucsd\.edu/$"
to="https://www-act.ucsd.edu/myTritonlink20/display.htm" />
<rule from="^http://uclearning\.ucsd\.edu/"
to="https://a4.ucsd.edu/lms/" />
<!-- redirects to acms go below -->
<!-- cri ultimately redirects to the ACMS homepage because the CRI dept was closed, although this rule is correct for the initial bounce. That isn't our problem
TODO: These have subpages. resnet has been tested fairly well, except the conference guest registration (resnet.ucsd.edu/conf), but software and maybe iwdc need more testing. -->
<rule from="^http://(cri|desktop|iwdc|resnet|software|sysstaff)\.ucsd\.edu/"
to="https://acms.ucsd.edu/units/$1/" />
<rule from="^http://www-acs\.ucsd\.edu/$"
to="https://acms.ucsd.edu/index.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/account-tools/oce-intro\.shtml$"
to="https://acms.ucsd.edu/students/oce-intro.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/instructional/?$"
to="https://acms.ucsd.edu/students/" />
<!-- might this work:
<rule from="^http://(www-)?acs\.ucsd\.edu/(.+)\.(css|js)$"
to="https://acms.ucsd.edu/$2.$3" />
-->
</ruleset>
More information about the HTTPS-Everywhere-Rules
mailing list