[HTTPS-Everywhere] new rule
Marti Raudsepp
marti at juffo.org
Tue Aug 17 02:37:11 PDT 2010
On Tue, Aug 17, 2010 at 5:30 AM, Colonel Graff
<graffatcolmingov at gmail.com> wrote:
> I'm not a HTTPS dev but I just thought I'd point out that your ruleset isn't
> covering websites included in linuxfr.org i.e. http://linuxfr.org/stats/
>
> You might want to change it to
>
> <rule from = "^http://([^/:@]*)\.linuxfr\.org/([^/:@]*)([^/:@]*)"
> to = "https://$1.linuxfr.org/$2" />
Generally you should only match domains that you *know* accept
connections on HTTPS and have valid certificates.
https://www.linuxfr.org/ does not have a valid certificate because
it's only valid for "linuxfr.org" (without www). Also keep your rules
simple. The only secure subdomain that I found is "dev".
I usually write my rulesets like this:
<rule from="^http://(www\.)?linuxfr\.org" to="https://linuxfr.org"/>
<rule from="^http://dev\.linuxfr\.org" to="https://dev.linuxfr.org"/>
Regards,
Marti
More information about the HTTPS-everywhere
mailing list