[HTTPS-Everywhere] Twitter not being fully encrypted
Gasper Zejn
zejn at kiberpipa.org
Sun Oct 31 01:34:09 PDT 2010
In the Twitter.xml rule file there's this comment:
leave this twimg rule out until we've sorted out the bug where some
images are confused with favicons
and the rule is
from="^http://[a-z0-9].?\.twimg\.com/"
to="https://s3.amazonaws.com/twitter_production/"
which is wrong. Twitter is using Amazon Cloudfront, which offers HTTPS without
need to rewrite to s3.amazonaws.com[1].
The rule should rather be:
<rule from="^http://[a-z0-9].?\.twimg\.com/" to="https://$1.twimg.com/" />
Regards,
Gasper
[1] http://aws.amazon.com/about-aws/whats-new/2010/06/07/amazon-cloudfront-
adds-https-support-lowers-prices-opens-nyc-edge-location/
More information about the HTTPS-everywhere
mailing list