[HTTPS-E Rulesets] More enhancements - Fanboy, Malwarebytes, phpBB, Pinterest, VistaX64; also defects - CacheFly, Cleverbridge, News Corp.

Christopher Liu cmliu00151 at gmail.com
Fri Sep 7 22:14:09 PDT 2012 

To whom it may concern:
Continuing on - this message focuses on enhancements.

Fanboy: forums.fanboy.co.nz now appears to work in https; also hg.fanboy.co.nz
The reason is that Fanboy is using CloudFlare to do the SSL
termination for his sites, and these are covered by a wildcard entry
in the cert. (Note: status.fanboy.co.nz does _not_ work because it is
hosted by Pingdom)

Malwarebytes: On the www.malwarebytes.org homepage under the "Follow
Us" column, there are links to redirectors at
facebook.malwarebytes.org and twitter.malwarebytes.org .
We may as well rewrite these to their intended targets
https://www.facebook.com/Malwarebytes and
https://twitter.com/Malwarebytes respectively.

PhpBB: This can be enabled because it now has a valid cert. Other
subdomains to add include area51, bamboo, blog, wiki
All these currently enforce https, but only via redirection and not HSTS.

Pinterest: There are some new CDN domains in use that support https,
which may eliminate the need to rewrite to S3. They can currently be
seen on the https://pinterest.com homepage.
passets-cdn has an equivalent at s-passets-ec.pinimg.com
The media-cache family now includes s-media-cache-ec0.pinimg.com (and
all other digits up to 9).
Note "pinimg" in these domains - should the securecookie be expanded
accordingly?
There are also unencrypted domains such as
media-cache-ec0.pinterest.com and media-cache-lt0.pinterest.com (and
other digits); ensure that these are handled.
Attached is a suggestion for how to do this - as usual, feel free to
reword the comments.

VistaX64 (Vista Forums): Rename to Designer Media
The other forums owned by Designer Media also support https, that is
www.sevenforums.com and www.eightforums.com
They use a CDN via sevenforumscdn.com / eightforumscdn.com and
subdomains thereof; those can be rewritten to www.sevenforums.com /
www.eightforums.com respectively. (The 2-level domain
eightforumscdn.com exists and is used; haven't seen similar for
sevenforumscdn, but that should be handled too. The subdomains have
names like css, cssimg, icons, images, js - should probably be in a
wildcard rule)

--
Defects that I didn't manage to write up in my last email:

CacheFly: The ruleset in its current state breaks the "Take the Speed
Test" feature on the www.cachefly.com homepage (it shows a message
about the license being invalid or expired).
The exclusion ^http://(\d\.)?cachefly\.cachefly\.net/(speedtest/|.+\.test)
fixes this, but I'm not sure whether it's necessary to match numbered
subdomains nor the static .test files; the Flash object doesn't seem
to make requests for these.
Also, to make the ruleset match numbered subdomains as intended,
targets should be added of the form 0.*.cachefly.net,
1.*.cachefly.net...

Cleverbridge: This breaks the CAPTCHA images that MajorGeeks
(majorgeeks.com) uses for its mailing-list signup forms. Start
downloading any file (it is ok to cancel the actual download) and look
for said form at the bottom of the page that notifies you that the
download has started.
The needed exclusion is
^http://message\.cleverbridge\.com/bin/icon_generator\?key=captcha-key$

News Corporation: A large majority of the images and stylesheets on
http://blogs.wsj.com/law/2011/12/07/no-fire-fee-let-your-house-burn/
are broken.
I did just download a copy of the ruleset from the repository; the
recent fixes don't seem to have helped.


Again, thank you for your time and help.

C. Liu
-------------- next part --------------
<!--	Yo Dawg:
		a248.e.akamai.net/media.pinterest.com.s3.amazonaws.com/
		a248.e.akamai.net/passets.pinterest.com.s3.amazonaws.com/ | d3io1k5o0zdpqr.cloudfront.net
	Is the CloudFront bucket used anymore?

	CNAME records:
	          media-cache(\d).pinterest.com = media-cache$1.pinterest.com.edgesuite.net
	         media-cache-ec\d.pinterest.com = cs302.wac.edgecastcdn.net
	         media-cache-lt\d.pinterest.com = cdn.pinterest.com.c.footprint.net
	              passets-cdn.pinterest.com = media-cdn.pinterest.com.edgesuite.net
	s-(media-cache|passets)-ec\d.pinimg.com = cs89.wac.edgecastcdn.net
-->
<ruleset name="Pinterest">

	<target host="pinterest.com"/>
	<target host="*.pinterest.com"/>
	<target host="*.pinimg.com"/>

	<securecookie host="^(.*\.)?pin(img|terest)\.com$" name=".*"/>

	<rule from="^http://(assets\.|www\.)?pinterest\.com/"
		to="https://$1pinterest.com/"/>

<!-- just to protect against sslstripping -->
	<rule from="^http://s-(media-cache|passets)-ec(\d)?\.pinimg\.com/"
		to="https://s-$1-ec$2.pinimg.com/"/>

<!-- All of 0-9 exist in s-media-cache-ec and all are equivalent -->
	<rule from="^http://media-cache(?:-[a-z]{2})?\.pinterest\.com/"
		to="https://s-media-cache-ec0.pinimg.com/"/>
	<rule from="^http://media-cache(?:-[a-z]{2})?(\d)\.pinterest\.com/"
		to="https://s-media-cache-ec$1.pinimg.com/"/>

	<rule from="^http://passets-cdn\.pinterest\.com/"
		to="https://s-passets-ec.pinimg.com/"/>

</ruleset>

More information about the HTTPS-Everywhere-Rules mailing list