[HTTPS-E Rulesets] Suggested ruleset for new HTTPS site

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Feb 5 07:54:57 PST 2015


On Thu 2015-02-05 05:12:50 -0500, Alexander Buchner wrote:
> On 06.11.2014 13:27, Steven Tress wrote:
>> I've just converted my site to HTTPS. Attached is the ruleset for the
>> site, suggested to be included in the built in repository.
>
> Since your site also supports HSTS there is no need for an extra
> httpsE-rule.

Alexander, I don't think that's the right analysis.  Having an
httpsE-rule avoids an sslstrip attack for people in their first time
visiting, which HSTS does not defend against.

If i type "steventress.com" into my browser right now (having never
visited it before), my browser will try http://steventress.com/.

A network-based attacker can simply pretend to be that server (even
proxying the content from the https site so it looks the same).  All my
communications will remain in the clear.

having an httpsE-rule means that as long as i have the extension
installed, i'll never get the cleartext site, even if i've never visited
it before.

           --dkg


More information about the HTTPS-Everywhere-Rules mailing list