[HTTPS-Everywhere] Wikipedia's security problem
Seth David Schoen
schoen at eff.org
Thu Oct 21 11:26:35 PDT 2010
paxcoder writes:
> Hello,
> In a hurry, forgive omitting the pleasantries.
> Please see this: https://bugzilla.wikimedia.org/show_bug.cgi?id=16822
> My suggestion is to block Wiki images (only enable on request perhaps)
> --Luka Marčetić
Hi,
We're aware of this problem and have mentioned it here:
https://www.eff.org/https-everywhere/faq#mixed-content
I wrote to a Wikimedia executive about this some time ago and am
planning to do some empirical research to show how serious the problem
can be. I'm also going to send a round of letters, possibly paper
letters on EFF letterhead, asking Wikimedia and a few other site
operators to fix their mixed content warnings.
I'm sorry that the mixed content problem still exists. In fact, it
seems to affect a substantial number of the sites HTTPS Everywhere
supports, perhaps the majority.
I'm curious about making an optional rule like
<ruleset name="zzzDEFAULT">
<rule from="^http://.*" to="chrome:" />
</ruleset>
that would block all non-HTTPS content, eliminating mixed content
warnings (and the ability to use non-HTTPS sites at all!). In a quick
test, this didn't work properly in that it didn't seem to run after
other rules.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list