[HTTPS-E Rulesets] More ruleset update requests (30-Jan)
Christopher Liu
cmliu00151 at gmail.com
Mon Jan 30 17:09:22 PST 2012
To whom it may concern:
The release package contains an extraneous file named
GoogleMaps.xml~HEAD located in the same folder as default.rulesets. It
looks like HTTPS-Everywhere tries to load this as a ruleset and logs
an error because of a name conflict with the real GoogleMaps ruleset.
This has been true for the last two or three stable builds.
CACert:
I am getting handshake failures with svn.cacert.org, possibly because
it requires a client certificate; should it be excluded? (I am
reasonably sure that I have the CACert root certificates installed
properly. I am not involved in any way with the CACert project; I
noticed the issue because of an embedded image in
https://blog.cacert.org/2011/11/537.html )
CCC:
In the exclusion for blog.chaosradio.ccc.de, the first period is not
escaped. I assume this is a mistake.
ChillingEffects:
Please add images.chillingeffects.org; currently
https://www.chillingeffects.org/weather.cgi has mixed content due to
an image using the absolute URI
http://images.chillingeffects.org/xml.gif .
EFF:
I don't think the exclusion for action.eff.org is needed anymore. Is
that correct?
McAfee:
Please consider disabling the ruleset, or at least removing the parts
that apply to home.mcafee.com. The status is the same as I reported
previously:
www.mcafee.com redirects back to http; home.mcafee.com shows a blank
page; images.scanalert.com still works
Microsoft:
HTTPS support exists for the images in the folder
support.microsoft.com/library/images/support/ (I'm guessing a broader
rule would cause breakage)
TorrentFreak:
The site currently prefers the domain without www (i.e., www sends 301
redirects pointing to no-www, regardless of protocol). The "to" side
of the rules should probably be changed accordingly.
UCSD (attached):
This addresses a couple of my TODOs regarding the subdomains ted and
acs. I have determined that the former globally enforces https. On the
latter, one specific page /troublereport/ has an equivalent on the
acms domain.
Also: 1) determined that the Housing-Dining-Hospitality dept (hdh /
hds) fully supports https; 2) added classPlanner to the list of
TritonLink subpages; 3) added some other sites (ECE, Nanoengineering,
Structural Engineering) which are on the same host as CSE and valid
via SubjectAltName
Please pay attention to the revised first comment. It states that I'd
prefer not to put contact information in the ruleset, so users with
questions/concerns should email this mailing list, which should then
forward the message to me if necessary.
Wikipedia:
I have been getting certificate problems with wikitech.wikimedia.org;
as far as I know, it has never been publicly valid. (The "wikitech:"
interwiki prefix on WMF wikis is usually hardcoded to plain http, for
what I assume to be this reason.)
Also, please add an exclusion for planet.wikimedia.org and subdomains
thereof, if you have not already: see
https://bugzilla.wikimedia.org/show_bug.cgi?id=32028
Some recently added exclusions have unescaped periods; is this intentional?
The exclusion for mobile subdomains might be obsolete; see
https://blog.wikimedia.org/2012/01/07/engineering-december-2011-report/
Finally, please add toolserver.org and wiki.toolserver.org, if this
has not been done already (for an explanation of what these are used
for, see https://meta.wikimedia.org/wiki/Toolserver )
YouTube:
The rule for youtu.be should also handle www.youtu.be (which doesn't
seem to have a valid certificate, for what it's worth).
There exists "y2u.be" which works similarly to youtu.be, i.e.
y2u.be/EXAMPLE1234 redirects to www.youtube.com/watch?v=EXAMPLE1234.
It does not appear to be an official Google service. Its homepage is
not a redirector and contains informational material.
Should a comment be added to clarify that gdata.youtube.com is in the
GoogleAPIs ruleset rather than YouTube?
Again, I know you're busy so sorry for the inconvenience. Thank you
for all your hard work.
C. Liu
-------------- next part --------------
<ruleset name="UCSD">
<!-- Note from submitter: I do NOT have an official position in UCSD's information technology departments.
I prefer not to give contact info here, but you may email https-everywhere-rules (AT) eff (DOT) org
with questions or concerns; they should forward the message to me. -->
<!-- E-Check uses quikpayasp.com; TritonCash uses services.jsatech.com
These domains belong in separate rulesets because they are not used solely by UCSD.
Does uc.sumtotalsystems.com (ultimate destination of uclearning) belong here,
or do other UCs use it too?
-->
<!-- TODOs:
<target host="apol-recruit.ucsd.edu" />
<target host="m.ucsd.edu" /> (mobile redirection script supports https because it is used on TritonLink)
<target host="ogs-calendar.ucsd.edu" />
<target host="students.ucsd.edu" /> (used for some embedded content on TritonLink; a rule for the entire _resources folder was tried and caused breakage)
<target host="vcsaforms.ucsd.edu" /> (hit during TritonLink logout; is is sslstrip-vulnerable anywhere?)
<target host="webct.ucsd.edu" /> (redirector; check behavior when logged in vs. out)
<target host="webctweb.ucsd.edu" /> (superseded by ted)
<target host="www-no.ucsd.edu" /> (Network Operations, used by ResNet registration etc. not sure if https enforced.
www-ono.ucsd.edu seems to exist too - Old Network Operations?)
<target host="www.ucsd.edu" /> (supports https for some embedded content on TritonLink)
Apparently TritonLink used to be called StudentLink; this info is several years old and not worth worrying about.
(See https://sites.google.com/site/ucsdecegsc/information-for-new-students/tips-for-new-students )
Some research group websites have intentionally different content on http and https, with the latter for private group use.
I haven't yet verified the (non-)existence of www subdomains for all cases.
-->
<!-- normally https only; protect against sslstripping -->
<target host="a4.ucsd.edu" />
<target host="acs-webmail.ucsd.edu" />
<target host="altng.ucsd.edu" />
<target host="aventeur.ucsd.edu" />
<target host="cinfo.ucsd.edu" />
<target host="facilities.ucsd.edu" />
<target host="gradapply.ucsd.edu" />
<target host="graduateapp.ucsd.edu" />
<target host="myucsdchart.ucsd.edu" />
<target host="sdacs.ucsd.edu" />
<target host="shs.ucsd.edu" />
<target host="ted.ucsd.edu" />
<target host="ucsdbkst.ucsd.edu" />
<!-- supports https but doesn't enforce it on all pages
CSE, ECE, Nanoengineering, and Structural Engineering depts share one server.
Its SubjectAltName also mentions the following domains, but I've not written rules for them because they're for private use:
oec-vmweb03.ucsd.edu, ece-internal.ucsd.edu, t (unqualified!) -->
<target host="acms.ucsd.edu" />
<target host="bookstore.ucsd.edu" />
<target host="www.bookstore.ucsd.edu" />
<target host="cs.ucsd.edu" />
<target host="www.cs.ucsd.edu" />
<target host="cse.ucsd.edu" />
<target host="www.cse.ucsd.edu" />
<target host="ece.ucsd.edu" />
<target host="www.ece.ucsd.edu" />
<target host="hdh.ucsd.edu" />
<target host="www.hdh.ucsd.edu" />
<target host="hds.ucsd.edu" />
<target host="maeweb.ucsd.edu" /><!-- XXX: where is this used? part of Structural Engineering? more testing needed -->
<target host="nanoengineering.ucsd.edu" />
<target host="www.nanoengineering.ucsd.edu" />
<target host="ne-web.ucsd.edu" />
<target host="ne.ucsd.edu" />
<target host="neweb.ucsd.edu" />
<target host="roger.ucsd.edu" /><!-- normally enforces https only upon login -->
<target host="www.roger.ucsd.edu" />
<target host="se.ucsd.edu" />
<target host="structures.ucsd.edu" />
<target host="www.structures.ucsd.edu" />
<target host="uxt.ucsd.edu" />
<target host="www-cs.ucsd.edu" />
<target host="www-cse.ucsd.edu" />
<target host="www-ne.ucsd.edu" />
<target host="www-structures.ucsd.edu" />
<!-- only some features known to support https; protect them against sslstripping (not Firesheep) -->
<target host="act.ucsd.edu" />
<target host="health.ucsd.edu" />
<target host="libraries.ucsd.edu" />
<target host="studenthealth.ucsd.edu" /><!-- Ask-A-Question enforces https, but unfortunately it is signed by ipsCA. See note below -->
<target host="www-act.ucsd.edu" />
<!-- redirectors
TODO: full Link Family list at http://blink.ucsd.edu/technology/help-desk/applications/link-family/list.html -->
<target host="accesslink.ucsd.edu" />
<target host="acs.ucsd.edu" />
<target host="cri.ucsd.edu" />
<target host="desktop.ucsd.edu" />
<target host="financiallink.ucsd.edu" />
<target host="www.hds.ucsd.edu" />
<target host="iwdc.ucsd.edu" />
<target host="marketplace.ucsd.edu" />
<target host="mytritonlink.ucsd.edu" />
<target host="www.mytritonlink.ucsd.edu" />
<target host="resnet.ucsd.edu" />
<target host="software.ucsd.edu" />
<target host="sysstaff.ucsd.edu" />
<target host="tritonlink.ucsd.edu" />
<target host="www.tritonlink.ucsd.edu" />
<target host="uclearning.ucsd.edu" />
<target host="www-acs.ucsd.edu" />
<!-- Other things could stand to have securecookie, but these are the most important:
a4 is used for login pages and some embedded scripts related to the login system. It doesn't yet flag its cookies as https-only.
acs-webmail uses at least two cookies, only one of which is normally flagged https-only. -->
<securecookie host="^(.+\.)?a(4|cs-webmail)\.ucsd\.edu$" name=".*" />
<rule from="^http://a4\.ucsd\.edu/" to="https://a4.ucsd.edu/" />
<rule from="^http://acs-webmail\.ucsd\.edu/" to="https://acs-webmail.ucsd.edu/" />
<rule from="^http://altng\.ucsd\.edu/" to="https://altng.ucsd.edu/" />
<rule from="^http://aventeur\.ucsd\.edu/" to="https://aventeur.ucsd.edu/" />
<rule from="^http://cinfo\.ucsd\.edu/" to="https://cinfo.ucsd.edu/" />
<rule from="^http://facilities\.ucsd\.edu/" to="https://facilities.ucsd.edu/" />
<rule from="^http://gradapply\.ucsd\.edu/" to="https://gradapply.ucsd.edu/" />
<rule from="^http://graduateapp\.ucsd\.edu/" to="https://graduateapp.ucsd.edu/" />
<rule from="^http://myucsdchart\.ucsd\.edu/" to="https://myucsdchart.ucsd.edu/" />
<rule from="^http://sdacs\.ucsd\.edu/" to="https://sdacs.ucsd.edu/" />
<rule from="^http://shs\.ucsd\.edu/" to="https://shs.ucsd.edu/" />
<rule from="^http://ted\.ucsd\.edu/" to="https://ted.ucsd.edu/" />
<rule from="^http://ucsdbkst\.ucsd\.edu/" to="https://ucsdbkst.ucsd.edu/" />
<rule from="^http://acms\.ucsd\.edu/" to="https://acms.ucsd.edu/" />
<rule from="^http://(www\.)?bookstore\.ucsd\.edu/" to="https://bookstore.ucsd.edu/" />
<rule from="^http://(www[-\.])?cs(e)?\.ucsd\.edu/" to="https://$1cs$2.ucsd.edu/" />
<rule from="^http://(www\.)?ece\.ucsd\.edu(:16080)?/" to="https://$1ece.ucsd.edu/" />
<rule from="^http://(www\.)?hdh\.ucsd\.edu/" to="https://$1hdh.ucsd.edu/" />
<rule from="^http://(www\.)?hds\.ucsd\.edu/" to="https://hds.ucsd.edu/" />
<rule from="^http://maeweb\.ucsd\.edu/" to="https://maeweb.ucsd.edu/" />
<rule from="^http://(www\.)?(nanoengineering|structures)\.ucsd\.edu/" to="https://$1$2.ucsd.edu/" />
<rule from="^http://ne(-?web)?\.ucsd\.edu/" to="https://ne$1.ucsd.edu/" />
<rule from="^http://(www\.)?roger\.ucsd\.edu/" to="https://$1roger.ucsd.edu/" />
<rule from="^http://se\.ucsd\.edu/" to="https://se.ucsd.edu/" />
<rule from="^http://uxt\.ucsd\.edu/" to="https://uxt.ucsd.edu/" />
<rule from="^http://www-ne\.ucsd\.edu/" to="https://www-ne.ucsd.edu/" />
<rule from="^http://www-structures\.ucsd\.edu/" to="https://www-structures.ucsd.edu/" />
<rule from="^http://health\.ucsd\.edu/request_appt/"
to="https://health.ucsd.edu/request_appt/" />
<rule from="^http://libraries\.ucsd\.edu/digital/"
to="https://libraries.ucsd.edu/digital/" />
<!-- Most of studenthealth.ucsd.edu does not enforce https.
The Ask-A-Question feature, located in the folder /secure/askaquestion/, does enforce https, and it requires login (via a4 page).
As of my last update, the cert was from ipsCA, so it will cause an error. It may be replaced with a valid cert in the future.
This rule only protects against sslstripping. The cert error is NOT this rule's fault and would still occur without the rule. -->
<rule from="^http://studenthealth\.ucsd\.edu/secure/"
to="https://studenthealth.ucsd.edu/secure/" />
<!-- Link Family is migrating from www-act to act. Redirection exists. Many student-accessible features have CamelCased names like studentDirectDeposit -->
<rule from="^http://(www-)?act\.ucsd\.edu/(bsl/home|cgi-bin/[A-Za-z]+link\.pl|classPlanner|marketplace-sso|mytritonlink/view|myTritonlink20|student[A-Z][A-Za-z]+/[A-Za-z]+|travellink/home)"
to="https://$1act.ucsd.edu/$2" />
<rule from="^http://accesslink\.ucsd\.edu/"
to="https://altng.ucsd.edu/" />
<!-- err on the side of not breaking things, hoping that no subpages are used -->
<rule from="^http://financiallink\.ucsd\.edu/?$"
to="https://www-act.ucsd.edu/cgi-bin/financiallink.pl" />
<rule from="^http://marketplace\.ucsd\.edu/?$"
to="https://www-act.ucsd.edu/marketplace-sso/signon" />
<rule from="^http://(www\.)?(my)?tritonlink\.ucsd\.edu/?$"
to="https://www-act.ucsd.edu/myTritonlink20/display.htm" />
<rule from="^http://uclearning\.ucsd\.edu/"
to="https://a4.ucsd.edu/lms/" />
<!-- redirects to acms go below -->
<!-- cri ultimately redirects to the ACMS homepage because the CRI dept was closed, although this rule is correct for the initial bounce. That isn't our problem
NB: These have subpages. resnet has been tested fairly well, except the conference guest registration (resnet.ucsd.edu/conf) which might not exist anymore, but software and maybe iwdc need more testing. -->
<rule from="^http://(cri|desktop|iwdc|resnet|software|sysstaff)\.ucsd\.edu/"
to="https://acms.ucsd.edu/units/$1/" />
<rule from="^http://(www-)?acs\.ucsd\.edu/troublereport/?$"
to="https://acms.ucsd.edu/troublereport/" />
<rule from="^http://www-acs\.ucsd\.edu/?$"
to="https://acms.ucsd.edu/index.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/account-tools/oce-intro\.shtml$"
to="https://acms.ucsd.edu/students/oce-intro.shtml" />
<rule from="^http://www-acs\.ucsd\.edu/instructional/?$"
to="https://acms.ucsd.edu/students/" />
</ruleset>
More information about the HTTPS-Everywhere-Rules
mailing list