[HTTPS-E Rulesets] arlanda.se

Mon Jan 13 01:56:38 PST 2014

There’s nothing wrong with the first two points, as has been covered in the
previous messages in this thread.

The third point is wrong, and it’s really important to understand why.
People (especially uninformed people) usually seem to be focused on
encryption – stopping attackers from reading the data. But it’s also
important to stop attackers from changing the data.

If your computer sends out a request for http://(www\.)?arlanda.se/, an
attacker could send a response redirecting you to
https://some.evil.website.impersonating.arlanda.se.evil.se/, and many
people would think “It’s HTTPS; it must be safe” (sometimes it’s not so
obvious that the address is dodgy). But if everything (both arlanda.se and
swedavia.se) was covered by HTTPS Everywhere, your computer would never
send out any HTTP requests, and you would be safe from this type of attack.

This is covered in the HTTPS Everywhere FAQ under “Q. Why does HTTPS
Everywhere include rules for sites like PayPal that already require HTTPS
on all their pages?”.

Therefore, we should keep the EXISTING rules for arlanda.se AND add the NEW
rule that you keep asking for.

--
Brian Drake

On Mon, Jan 13, 2014 at 0927 [WST (UTC+8)], Joakim Walldén <
joakim.wallden at gmail.com> wrote:

> Here is how I see it (without having any experience in creating rules).
>
>    - The current rule (
>    https://www.eff.org/https-everywhere/atlas/domains/arlanda.se.html)
>    leads to a mismatch (see
>    https://www.ssllabs.com/ssltest/analyze.html?d=arlanda.se) and must be
>    removed or changed.
>    - A new rule/ruleset for http://www.swedavia.se to
>    https://www.swedavia.se is missing and therefore suggested.
>    - I don’t see that a rule http://(www\.)?arlanda\.se/" to="
>    https://www.swedavia.se/arlanda adds anything today, since the site
>    performs the redirect from alranda.se to swedavia.se/arlanda, and the
>    suggested new rule(set) for swedavia.se performs the redirect from
>    http to https. And as already mentioned, if in the future arlanda.seis used differently, the rule will have to be changed.
>
> But what’s important now is that the current problem is fixed.
>
> Thanks and regards,
> Joakim
>
>
> 2014/1/13 (UTC) Drake, Brian <brian at drakefamily.tk>
>
> In my first reply, I only addressed the first part of your first message,
>> about the rules already present in the Arlanda.se ruleset. You suggested
>> removing those rules. Instead, I suggested combining them into one rule and
>> modifying them to use the new domain.
>>
>> It’s true that they might change the way arlanda.se works, which would
>> create a problem with that rule. If the rules were not combined into one,
>> the same problem could arise. It’s no reason to remove the rule(s) either,
>> because the very nature of this software means that we face the same risk
>> with all rules.*
>>
>> In both your messages, you also suggested adding a new rule to redirect
>> http://www.swedavia.se to https://www.swedavia.se. That would have to be
>> in a separate rule, and perhaps it should even be in a separate ruleset
>> (that would allow either ruleset to be disabled by the user without
>> affecting the other one). I don’t have a problem with this suggestion, but
>> I can’t do anything about it either, so I didn’t mention it before.
>>
>> * I’m just stating my opinion, and as far as I know, it’s the basis on
>> which other rules are included in the software. Feel free to correct me if
>> I’m wrong.
>>
>> --
>> Brian Drake
>>
>> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>>
>> On Mon, Jan 13, 2014 at 0742 [WST (UTC+8)], Joakim Walldén <
>> joakim.wallden at gmail.com> wrote:
>>
>>> The combined rule would lead to problem if they stop using arlanda.sefor redirecting to
>>> swedavia.se, which might happen. And a separate rule for
>>> http://www.swedavia.se to https://www.swedavia.se is still usefull.
>>>
>>> Thanks and regards,
>>> Joakim
>>>
>>>
>>> 2014/1/13 (UTC) Drake, Brian <brian at drakefamily.tk>
>>>
>>> Why remove the rule? Why not just change it to redirect to
>>>> www.swedavia.se, like this:
>>>>
>>>> <rule from="^http://(www\.)?arlanda\.se/" to="
>>>> https://www.swedavia.se/arlanda/" />
>>>>
>>>> (notice how I combined the two rules into one; this pattern is already
>>>> used in other rulesets)
>>>>
>>>>  --
>>>> Brian Drake
>>>>
>>>> All content created by me: Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>© 2014 Brian Drake. All rights reserved.
>>>>
>>>> On Fri, Jan 10, 2014 at 1713 (UTC), Joakim Walldén <
>>>> joakim.wallden at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> The rule for arlanda.se <http://www.arlanda.se/> (
>>>>> https://www.eff.org/https-everywhere/atlas/domains/arlanda.se.html)
>>>>> should be removed, since the domain redirects to www.swedavia.se,
>>>>> causing an error.
>>>>>
>>>>> Instead, a rule for http://www.swedavia.se > https://www.swedavia.se can
>>>>> be added.
>>>>>
>>>>> Tanks and regards,
>>>>> Joakim
>>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20140113/2916e72a/attachment.html>