[HTTPS-Everywhere] https-everywhere rule-sets development/upgrade

[James Nobis]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

lenny53 and the list,

I skimmed through part of the talk page regarding the HTTP v HTTPS and
thepiratebay.  I'm not a lawyer but in general linking to a web page
isn't illegal.  There was the case of MPAA v 2600 in which 2600 lost and
was not allowed to link to sites and was not even allowed to link to
sites linking to sites (sites that contained DeCSS code.)  You can
search google for the pirate bay and get the link so why should
wikipedia be any different?  That linking to a https site instead of a
http site helps circumvent laws is rather a bogus argument.  The fact
that people have accounts on websites and they would prefer their
logins, cookies, and traffic to not be visible to everyone on the
wireless network is one of the best examples of where https everywhere
makes the most sense.

I am intrigued by your note of the RC4 for Google and verified your
findings.  They use to have AES-256 for docs, mail, etc. but it appears
that since the launch of SSL google search they downgraded most likely
due to server load.

Your point about RC4 being easily cracked is a bit off.  There are cases
where it has been easily cracked but the biggest problem with a stream
cipher is that you must use a unique IV and *never* use it again.  The
reuse of IVs is what broke WEP.  There are known issues with
predictibility of the beginning of the key stream and there are schemes
called rc4-dropN where N is the number of bytes to drop.  Apache/OpenSSL
implement the precautions to make RC4 use acceptable.  If you want to be
shocked about RC4 use you should have tried most banking websites a year
ago and many still today.

Another point is the rating of High-grade encryption for SSL/TLS which
is a big misnomer.  Generally High-grade means it isn't export grade
cryptography such as 40-bit key lengths that use to mean you had to
install upgrades for IE/Netscape to get 128-bit ciphers.  I believe the
browser will report anything that isn't an export cipher as high grade.

You should be less worried about the use of RC4 than the continued use
of md5.  In Firefox type about:config into the url bar and filter with
md5 and double click to disable secure.ssl3.rc4_128_md5.  You will find
some sites, though fewer and fewer, that will say something about unable
to negotiate security settings with the server.  Every time I find one
of these sites I contact them and check back to see if they fix it
(usually people take 3-6 months.)

I'm curious also about your rules that use ^(http|https) and if this is
really necessary.  Also, thanks for the rules you provided and I'm
testing some of them out.

Also, your EZTV.xml had an addition for torrent.zoink.it and their SSL
certificate is expired.

James Nobis
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBCgAGBQJMUfAXAAoJEGUWgJyjXssuqoAP/2uvZHozlqqn9rZ43FajD3eK
MbSokQhaEjZ/5t6OAURiyGDdHnmwlasvsKdPfnwO5FgqxsqLUvDjhSNtIGHv6mOr
daT74Z/Bve7JRj6ws+E5Q0EbQr84gxrMVqQMbXaLAMLhZ9e/9cCUV85Zceitdxf8
PPFXMZojRsV67KA8oc9sQAowNp17YFzwkCRjv+BaeYnC0gkdcKqV83UYCW4Jr4cz
KaS3sp927g3SsOr9CRywDY9yu3SQPVp3QNBTJlfry52GUF3cO/YcrAiTCKQJutUx
TAfTGHv+4pJlYylu7pl7Oezdz1ZdQDkpAnp5j2SFeLEQg9F2vEjoYtBh090SVrHX
mucAe9hsLKAsB2LzC98H4DglDixEI3fW9vFGSd/Q5QTU3QHgj4d4EzH492nC2W8B
046ueZkqxnQ0LAvyx0MTkmsQPK5ZZIv931GJRJ3i2G9Z2uE2aH/FGOUEPZJQXuFS
ODMT0X+9izaz1fbsr8N2WCGO4Bkk+7umUmdbMnFADAkvC/qhZJRTqW/oH8+TTlRe
7ruApTZwA5yfRtvbHDP8haczynegwGdHqBUkmHP3grmVdVrEek2kz1LiWFoGkqw0
J15MBRYERIrPEevMQUyuutHTdVAaja4vRaX8aetPXSxcr3IaTAteNz0HHgxdaxJO
SFNZEg5Vsvs6ElX1XOCu
=vILG
-----END PGP SIGNATURE-----