[HTTPS-Everywhere] [HTTPS-E Rulesets] Fwd: Exception to HTTPs Everywhere

Sat Jun 25 02:36:46 PDT 2011

So, to be clear, the W3C is going to avoid sending any confidential
information, either in response bodies or in cookies, over non-secure
connections? (I’m sure the W3C knows what they’re doing but I’m paranoid.)

Do W3C login pages always have the same URL? If not, can this be implemented
(with any additional data sent via a POST request)? That way, the user can
easily save this URL and check future URLs against it, to prevent SSL
sniffing. This is particularly easy using Firefox’s bookmarks feature.

On Mon, May 16, 2011 at 1632 (UTC-8), Peter Eckersley <pde at eff.org> wrote:

> [snip]
>
> ----- Forwarded message from Ted Guild <ted at w3.org> -----
>
> Date: Sun, 15 May 2011 15:54:27 +0200
> From: Ted Guild <ted at w3.org>
> To: Peter Eckersley <pde at eff.org>
> Cc: Jose Kahan <jose.kahan at w3.org>, w3t-archive <w3t-archive at w3.org>,
>        information at eff.org
> Subject: Exception to HTTPs Everywhere
> X-Mailer: Evolution 2.32.2
>
> Peter,
>
> We are getting ready to deploy selective SSL switching at W3C. Whenever
> credentials are required or content is intended to be confidential our
> access control system will automatically redirect the user to the
> corresponding HTTPS uri.  Any content that is open to the public and
> doesn't send session data will be served via HTTP, redirecting to HTTP
> if the user accesses a HTTPS link (eg following a relative link).
>
> While many sites send information they shouldn't in the clear, we are
> going to apply SSL correctly.  We get an excessive amount of traffic (up
> to 1/2 billion per day for DTD and schemata alone) and would rather not
> have to serve content more costly through SSL than we have to.  As such
> please add w3.org to an exception list so that HTTPs Everywhere does not
> compete with our server side redirection.
>
> We are already finding issues with our SSL switching scheme and
> unintended traffic from HTTPs Everywhere before we put this SSL
> switching into full production.
>
> Regards,
>
> --
> Ted Guild <ted at w3.org>
> W3C Systems Team
> http://www.w3.org
>
>
>
> ----- End forwarded message -----
>
> [snip] <%2B1%20415%20436%209993>
>

--
Brian Drake

Alternate (slightly less secure) e-mail: brian at drakefamily.tk
Alternate (old) e-mail: brianriab at gmail.com

Facebook profile: Profile ID
100001669405117<https://ssl.facebook.com/profile.php?id=100001669405117>
Twitter username: BrianJDrake <https://twitter.com/BrianJDrake>
Wikimedia project username:
Brianjd<https://secure.wikimedia.org/wikipedia/meta/wiki/User:Brianjd>(been
inactive for a while)

All content created by me
Copyright<http://www.wipo.int/treaties/en/ip/berne/trtdocs_wo001.html>©
2010–2011 Brian Drake. All rights reserved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20110625/1f7c2a4e/attachment.html>