[HTTPS-Everywhere] Custom rules

Mike Cardwell mike.cardwell at grepular.com
Mon Oct 4 08:14:16 PDT 2010 

Hi,

I have some custom rules to give you, but first I have a comment about
your existing rules. I'll use eff.org as my example. That one doesn't
just match against http://eff.org/, it also matches against
http://eff.org.example.com/ as well. My rules don't have that problem
because I end them with: (/.*)?$

First of all, I have a couple of rules for banking websites:

<ruleset name="HSBC.co.uk">
  <rule from="^http://(?:www\.)?(hsbc\.co\.uk)(/.*)?$"
to="https://www.$1$2"/>
  <rule from="http://(www1\.member-hsbc-group\.com)(/.*)?$"
to="https://$1$2"/>
</ruleset>

The worrying thing about HSBC is that their initial login form where you
enter your Internet Banking ID is loaded via HTTP via default, not
HTTPS. It does however POST to a HTTPS URL regardless.

<ruleset name="Egg.com">
  <rule from="^http://(?:(?:www|new)\.)?egg\.com(/.*)?$"
to="https://new.egg.com$1"/>
  <rule from="^http://((?:your|phonehome)\.egg\.com)(/.*)?$"
to="https://$1$2"/>
</ruleset>

I have one for reddit.com too, but I'm not sure if you'd want to include
this one... The problem is, the login form explicitly posts to http:// -
The rule I have forces it to POST to https:// instead and it works fine,
except the browser pops up an alert to say that it's going to be posting
from an encrypted page to an unencrpyted one, even though it doesn't
because of HTTPSEverywhere...

<ruleset name="Reddit.com">
  <rule from="^http://(?:www\.)?reddit\.com(/.*)?$"
to="https://www.reddit.com$1"/>
</ruleset>

I'm wondering if you could modify your addon to intercept form
submissions and change the action to https when necessary before the
browser pops up the "You're posting to an unencrypted page from an
encrypted page" warning..?

I also have 3 more random rules:

<ruleset name="Linode.com">
  <rule from="^http://(?:www\.)?(linode\.com)(/.*)?$"
to="https://www.$1$2"/>
  <rule from="^http://(stats\.linode\.com)(/.*)?$" to="https://$1$2"/>
</ruleset>

<ruleset name="Plus.net">
  <rule from="^http://(?:www\.)?(plus\.net)(/.*)?$" to="https://www.$1$2"/>
  <rule from="^http://(portal\.plus\.net)(/.*)?$" to="https://$1$2"/>
</ruleset>

<ruleset name="T-Mobile.co.uk">
  <rule from="^http://(?:www\.)?(t-mobile\.co\.uk)(/.*)?$"
to="https://www.$1$2"/>
</ruleset>

Regards,

-- 
Mike Cardwell - Perl/Java/Web developer, Linux admin, Email admin
Read my tech Blog -              https://secure.grepular.com/
Follow me on Twitter -           http://twitter.com/mickeyc
Hire me - http://cardwellit.com/ http://uk.linkedin.com/in/mikecardwell

More information about the HTTPS-everywhere mailing list