[HTTPS-E Rulesets] OpenDNS: cdn-blog.opendns.com needs fix
Christopher Liu
cmliu00151 at gmail.com
Sun Jun 16 16:30:40 PDT 2013
Brian (et al),
To be clear: The exclusion is correct, but only because we need a
separate "OpenDNS (mixed content)" ruleset to cover the blog.
The _main_ OpenDNS ruleset should contain a rule to rewrite
cdn-blog.opendns.com to the corresponding CloudFront bucket, placed
before the rule that deals with arbitrary *.opendns.com subdomains so
that rule doesn't mishandle it. With such a rule present, the "mixed
content" warnings would be largely an artifact of the current Firefox
(https://bugzilla.mozilla.org/show_bug.cgi?id=878890 ) and Chrome
(https://code.google.com/p/chromium/issues/detail?id=122548 )
implementations.
I found the CloudFront bucket (d1c21ex135qvy3.cloudfront.net) by
examining DNS CNAME records, as is generally possible.
C.Liu
On Wed, Jun 12, 2013 at 4:00 PM, Brian Carpenter
<brian.carpenter at gmail.com> wrote:
> I've added an exclusion rule for blog.opendns.com:
>
> https://github.com/geeknik/https-everywhere/commit/c28ecaea4b766ece516e97c906436304e48cf7dd
>
>
> On Wed, Jun 12, 2013 at 5:43 PM, Christopher Liu <cmliu00151 at gmail.com>
> wrote:
>>
>> To whom it may concern:
>>
>> Within the last few days, the OpenDNS blog (blog.opendns.com) started
>> using cdn-blog.opendns.com for most images/scripts/stylesheets.
>>
>> It currently hits the blanket rule for *.opendns.com subdomains,
>> causing a cert mismatch. It should be rewritten to the bucket,
>> d1c21ex135qvy3.cloudfront.net
>>
>> It is probably necessary to move coverage of blog.opendns.com to a
>> separate ruleset with platform="mixedcontent".
>>
>> Thank you for your time and help
>> C. Liu
>>
>
More information about the HTTPS-Everywhere-Rules
mailing list