[HTTPS-Everywhere] new rules: LiveJournal and Dreamwidth
Seth David Schoen
schoen at eff.org
Thu Oct 28 11:48:22 PDT 2010
Chris Palmer writes:
> On Oct 28, 2010, at 7:12 AM, Steve Huff wrote:
>
> > something; they offer HTTPS access only to the login pages, which i guess is better than nothing.
>
> I would rather have it than not, but it makes only a tiny difference in a limited set of circumstances.
>
> That's not your fault of course --- thank you for sending in these rules. What we should, and you could, do is to lobby LiveJournal to make their site secure. We can use the limited applicability of this rule as a way to make the point ("Even with HTTPS Everywhere, Firesheep still stole my session! Please fix this, LiveJournal.").
I put both rules in e-l-r with some small fixes, but they have an
unusual problem: both rules seem to prevent users from using the
"normal" functionality of these sites (reading other people's
journals). With these rules in place, users can only write in
their own journals and not read others'.
This loss of site functionality makes me think that these rules
shouldn't be turned on by default and possibly shouldn't be in
e-l-r either.
--
Seth Schoen
Senior Staff Technologist schoen at eff.org
Electronic Frontier Foundation https://www.eff.org/
454 Shotwell Street, San Francisco, CA 94110 +1 415 436 9333 x107
More information about the HTTPS-everywhere
mailing list