[HTTPS-E Rulesets] Suggestions for new rulesets - Cheezburger Network, JSA Technologies, MathJax, NCBI, NCJRS, WorldCat
Christopher Liu
cmliu00151 at gmail.com
Wed May 23 22:31:05 PDT 2012
To whom it may concern:
This time I have made a better effort to look through the Git repository.
These are all trivial rewrites (that is, from http://example.com/ to
https://example.com/) unless otherwise explicitly stated.
Where the domain name begins with www, the cert claims validity with
and without www unless I have stated otherwise.
Cheezburger Network (partial) - i.chzbgr.com s.chzbgr.com t.chzbgr.com
(Testing note: Do not browse directly to the homepages of said
domains. The "old-style" Cheezburger Network sites are
icanhascheezburger.com, failblog.org, memebase.com, thedailywh.at and
subdomains thereof. The "new-style" sites are cheezburger.com
subdomains, e.g. thedailywhat.cheezburger.com . You may be redirected
from one to the other, because cookies are used to store the
old-vs-new preference. In such an event, click on "Try the new
Cheezburger" or "Back to the old Cheezburger" to get to the intended
site.)
i.chzbgr.com is used for article images on the new sites and some
thumbnails on the old sites. s.chzbgr.com is used for font/CSS/JS
files as well as static images within the site layouts. t.chzbgr.com
is used for user avatars (best seen on one of the more-heavily-used
subsites, such as lolcats.icanhascheezburger.com or
bronies.memebase.com).
JSA Technologies - www.jsatech.com services.jsatech.com (cert doesn't
match jsatech.com without the www)
This company runs dining-money cards for several universities. The www
domain is the corporate site, and the services domain is for
student-accessible features. The latter is obviously meant to be
accessed in https, but the login pages did not actually enforce https
the last time I checked. (To be fair, the form's action explicitly
specifies https, but we all know that's worthless because of
sslstrip.)
The login pages are, for example,
https://services.jsatech.com/index.php?cid=212 for UCSD and
https://services.jsatech.com/index.php?cid=76 for SUNY.
MathJax - (FROM) cdn.mathjax.org (TO) c328740.ssl.cf1.rackcdn.com
The unencrypted bucket is at c328740.r40.cf1.rackcdn.com , which
should probably be added to the Rackspace ruleset.
I obtained this information from
http://www.mathjax.org/2012/05/07/news/upcoming-changes-to-the-cdn/
For examples of pages that load MathJax from the CDN, see
http://www.scholarpedia.org/article/Microwave_ionization_of_hydrogen_atoms
and http://tauday.com/tau-manifesto
National Center for Biotechnology Information - www.ncbi.nlm.nih.gov
National Criminal Justice Reference Service - www.ncjrs.gov
WorldCat - www.worldcat.org (certificate doesn't match domain without www)
Thank you very much for your help.
Expect two more emails from me soon - one for tweaks to existing
rulesets, and one about minor stylistic/commenting issues.
C. Liu
More information about the HTTPS-Everywhere-Rules
mailing list