[HTTPS-Everywhere] loose rulesets (hostname termination)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Sep 27 10:00:40 PDT 2010
hey folks--
this might be nit-picking, but i'm a bit concerned that some of the
rulesets i see in the git repo are too loose.
For example, NYTimes.xml contains:
> <ruleset name="NYTimes">
> <rule from="^http://(www\.)?nytimes\.com" to="https://www.nytimes.com"/>
> </ruleset>
which matches things like http://nytimes.commerce.com/, afaict.
Now, i don't care for commerce.com's web site specifically, but it seems
that it's important that rules indicate the end of the host name
explicitly somehow, or else they end up covering a very broad range of
systems.
i'm having some trouble seeing how to resolve the issue, though. i
think that the "from" should be rewritten to:
from="^http://(www\.)?nytimes\.com($|/)"
but i'm not entirely sure that covers the right cases (and excludes the
others). i welcome verification/double-checking.
Other rulesets in git that seem to be affected include:
EFF.xml
DuckDuckGo.xml
Ixquick.xml
Torproject.xml
GMX.xml
WashingtonPost.xml
Apple.xml
PayPal.xml
Microsoft.xml
zNoisebridge.xml
Mozilla.xml
Facebook.xml
zGentooBugzilla.xml
If the above change makes sense, i can publish a git changeset that
corrects these rulesets.
Regards,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20100927/a43c18bc/attachment.sig>
More information about the HTTPS-everywhere
mailing list