[HTTPS-Everywhere] In Google.xml, why "[^/@:]"?
Drake, Brian
brian2 at drakefamily.tk
Fri Dec 24 17:30:33 PST 2010
I agree, that is out of HTTPS Everywhere’s scope. I was just trying to
clarify that I wasn’t against the whole idea of considering misspelled URLs,
just against your particular suggestion.
What might be a good idea though, is if URLs that DO match the target but do
NOT match any regex in HTTPS Everywhere get flagged to be followed up by
another add-on. This other add-on could try to do some clever analysis on
the URL, or simply report it to the EFF, the website operator (postmaster at ...
or something) or anyone else whose interested. If the EFF gets many reports
for similar URLs (aside from URLs that were deliberately excluded because
they don’t support HTTPS properly), it could be a sign that they need to
update their rules.
On Fri, Dec 24, 2010 at 1249 (UTC-8), Osama Khalid <osamak at gnu.org> wrote:
> > Misspelled URLs could indicate an attempt to trick the user. We (if
> > not the website operators) really should analyse them and warn the
> > user if appropriate.
>
> It's true that this can be the case, but I don't think we can overcome
> this by a simple, publicly available regex. Yes, our regex will help
> if the attacker tried to track users activity using a fake domain
> named "www.google.%2.aa", but it'd do nothing for "www.google1.com".
>
> I just think that the regular Firefox message should be shown if
> something is wrong with the domain because that'd out of
> HTTPSEverywhere scope.
>
> --Osama Khalid
> [snip]
>
--
Brian Drake
Alternate (slightly less secure) e-mail: brian at drakefamily.tk
Alternate (old) e-mail: brianriab at gmail.com
Facebook profile: Profile ID
100001206642672<https://ssl.facebook.com/profile.php?id=100001206642672>
Twitter username: BrianJDrake <https://twitter.com/BrianJDrake>
Wikimedia project username:
Brianjd<https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd>(been
inactive for a while)
All content created by me Copyright © 2010 Brian Drake. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101225/b110e796/attachment.html>
More information about the HTTPS-everywhere
mailing list