[HTTPS-Everywhere] Custom rules
Seth David Schoen
schoen at eff.org
Fri Oct 8 13:44:07 PDT 2010
Mike Cardwell writes:
> Hi,
>
> I have some custom rules to give you, but first I have a comment about
> your existing rules. I'll use eff.org as my example. That one doesn't
> just match against http://eff.org/, it also matches against
> http://eff.org.example.com/ as well. My rules don't have that problem
> because I end them with: (/.*)?$
I've suggested that the right thing is simply to ensure that all rules
have at least one slash following the hostname. I agree that there are
shipped rules that violate this norm, but they're bugs. :-)
> The worrying thing about HSBC is that their initial login form where you
> enter your Internet Banking ID is loaded via HTTP via default, not
> HTTPS. It does however POST to a HTTPS URL regardless.
There are several banks with this problem and they're seriously
vulnerable to SSL stripping attacks.
Thanks for all the rules!
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list