[HTTPS-Everywhere] Twitter not being fully encrypted
Seth David Schoen
schoen at eff.org
Mon Nov 8 11:06:33 PST 2010
Gasper Zejn writes:
> In the Twitter.xml rule file there's this comment:
>
> leave this twimg rule out until we've sorted out the bug where some
> images are confused with favicons
>
> and the rule is
>
> from="^http://[a-z0-9].?\.twimg\.com/"
> to="https://s3.amazonaws.com/twitter_production/"
>
> which is wrong. Twitter is using Amazon Cloudfront, which offers HTTPS without
> need to rewrite to s3.amazonaws.com[1].
>
> The rule should rather be:
>
> <rule from="^http://[a-z0-9].?\.twimg\.com/" to="https://$1.twimg.com/" />
Hi,
I tried the rule you proposed and it broke Twitter images for me, whereas
the existing rule generally works well for me.
Just to give a specific example,
http://a3.twimg.com/profile_images/1150854691/googlesearch-highres_mini.jpg
works but
https://a3.twimg.com/profile_images/1150854691/googlesearch-highres_mini.jpg
doesn't answer at all.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list