[HTTPS-E Rulesets] Suggested ruleset for new HTTPS site
Joakim Walldén
joakim.wallden at gmail.com
Thu Feb 5 08:12:29 PST 2015
Not to argue against adding a ruleset, but the domain is in the HSTS-list¹,
so the browser will not try to connect to it insecurely.
¹
https://chromium.googlesource.com/chromium/src/net/+/master/http/transport_security_state_static.json
Kind regards,
Joakim
2015-02-05 16:54 GMT+01:00 Daniel Kahn Gillmor <dkg at fifthhorseman.net>:
> On Thu 2015-02-05 05:12:50 -0500, Alexander Buchner wrote:
> > On 06.11.2014 13:27, Steven Tress wrote:
> >> I've just converted my site to HTTPS. Attached is the ruleset for the
> >> site, suggested to be included in the built in repository.
> >
> > Since your site also supports HSTS there is no need for an extra
> > httpsE-rule.
>
> Alexander, I don't think that's the right analysis. Having an
> httpsE-rule avoids an sslstrip attack for people in their first time
> visiting, which HSTS does not defend against.
>
> If i type "steventress.com" into my browser right now (having never
> visited it before), my browser will try http://steventress.com/.
>
> A network-based attacker can simply pretend to be that server (even
> proxying the content from the https site so it looks the same). All my
> communications will remain in the clear.
>
> having an httpsE-rule means that as long as i have the extension
> installed, i'll never get the cleartext site, even if i've never visited
> it before.
>
> --dkg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.eff.org/pipermail/https-everywhere-rules/attachments/20150205/6472117f/attachment.html>
More information about the HTTPS-Everywhere-Rules
mailing list