[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Seth David Schoen
schoen at eff.org
Sat Oct 16 00:32:57 PDT 2010
Chris Palmer writes:
> Wait, what? It's late and I've had a lot to drink, so I might be
> misunderstanding. It sounds like you would allow a patch to bypass CN
> matching.
I think you're misunderstanding. I think the proposal is simply to
have a way to segregate rules by _whether they trigger a warning_ in
a vanilla Firefox install. By default, only rules that do not
trigger a warning would be turned on. E.g., suppose that there is a
site
http://funsite.example.com/
which is also available in an equivalent HTTPS version at
https://funsite.example.com/
with a certificate signed by CACert, which will trigger a warning in
vanilla Firefox. In that case the rewrite rule for funsite shipped
in HTTPS Everywhere would have an attribute showing that this is the
case, and this rewrite rule would be disabled by default on a fresh
HTTPS Everywhere install.
Some users, who feel comfortable addressing the warnings, or who have
added CACert or some other CA to their trust list, or are using tools
like Perspectives or Monkeysphere that might let them use other data
sources, might then choose to turn on some or all of the HTTPS
Everywhere rules that generate warnings in vanilla Firefox.
However, in no case would HTTPS Everywhere itself change, disable, or
remove the warnings or the browser's certificate validation process.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list